New Rules (and Penalties) for Protected Health Information Breaches

Cox Smith Employee Benefits E-Alert

Fleshing out a requirement of the Health Information Technology for Economic and Clinical Health ("HITECH") Act, the U.S. Department of Health and Human Services ("HHS") published new HIPAA guidance on August 24, 2009 that establishes standards for notification of breaches of unsecured protected health information ("PHI"). The guidance is effective for breaches occurring on or after September 23, 2009. Violation of the breach notification rules can result in penalties ranging from $100 to $50,000 per violation, capped at $1.5 million per year. However, HHS has discretion in enforcing the civil penalties for violations that occur before February 20, 2010.

HIPAA-covered entities and business associates must:

  • create unsecured PHI breach notification policies and procedures;
  • draft addenda to their business associate agreements;
  • train employees on the new policies and procedures; and
  • sanction employees for failure to comply.

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals by use of the encryption or destruction methods specified by HHS in guidance published earlier this year and clarified further in this guidance. The new guidance adds a harm element to the definition of "breach": a breach occurs when unsecured PHI is acquired, accessed, used, or disclosed and there is a "significant risk of financial, reputational, or other harm to the individual."


There are 3 exceptions to the definition of breach from the HITECH Act, to which the guidance provides examples:

1.   Disclosure made in good faith, within the course and scope of employment, and that does not result in further disclosure.

Example:   A billing employee receives and opens an e-mail containing PHI about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices that he is not the intended recipient, alerts the nurse of the misdirected e-mail, and then deletes it.

2.    Inadvertent disclosure by an authorized individual to another authorized individual at the same covered entity or business associate, if not further used/disclosed.

Example:  A covered entity’s authorized workforce member discloses PHI in violation of the HIPAA Privacy Rule to a physician who has staff privileges with the entity. As long as the information is not further used or disclosed in violation of the HIPAA Privacy Rule, the exception applies.

3.    Good faith belief that unauthorized person to whom disclosure of PHI was made would not reasonably have been able to retain the information.

Example: A covered entity, due to a lack of reasonable safeguards, sends a number of explanations of benefits (EOBs) to the wrong individuals. A few of the EOBs are returned by the post office, unopened, as undeliverable. The returned, unopened EOBs are not considered breaches.

If the breach does not meet one of the three exceptions, the covered entity or business associate must conduct a risk assessment to determine whether there is a significant risk of financial, reputational or other harm to the individual and must document this process. The guidance notes that given the rising concern about employment discrimination, the risk assessment should broadly consider the impact the type of information could have on the individual, instead of focusing only on historically sensitive information such as mental health. Immediate mitigation of potential harm, such as through destruction of the information or execution of a confidentiality agreement to prevent further use or disclosure, may minimize the risk of harm enough so as to avoid a breach.

A narrow exception excuses the duty of conducting the risk assessment when the unsecured PHI is a "limited data set" that also excludes dates of birth and zip codes. If a covered entity or business associate is relying on this exception it must document that the PHI did not contain that information.

Required Notifications

Many different types of notifications may be required depending on the breach. Individual notice or substitute notice is always required, as well as notifying the Secretary of HHS either at the time individual notices are sent or in an annual submission depending on how many individuals were affected. Please click on the links below for more information regarding the content and the period for notices.

Click here for full report


Please call any of our benefits lawyers listed if you have any questions regarding this new guidance, or if you would like to receive further information.

Mary M. Potter
Joshua A. Sutin
Katherine Patton Noll
Related Practices
Banking and Financial Institutions
Employee Benefits / ERISA
Healthcare / Life Sciences
Related Industries
Related Files