Physicians have new duties to protect patients’ protected health information (“PHI”) under the Health Information Technology for Economic and Clinical Health Act (the "HITECH ACT").
The HITECH Act requires physicians, as well as hospitals and insurance companies, to notify patients, the Department of Health and Human Services, and in some cases the news media of security breaches involving “unsecured” PHI.
“Unsecured” PHI means PHI that is usable, readable or decipherable by unauthorized individuals, for example, unencrypted electronic PHI.
A security breach is the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy and poses a significant risk of financial, reputational, or other harm to the patient.
When PHI is accessed, acquired, or disclosed for a purpose authorized by law, e.g. providing health care services or for obtaining payment for the services, then there is, of course, no breach and no notice obligation.
When a provider discovers a breach of unsecured PHI, the provider must simultaneously notify the individual whose information was involved and the Department of Health and Human Services. The notice must describe:
(a) The breach;
(b) The types of PHI involved;
(c) The steps the individual should take concerning the PHI;
and
(d) What the provider is doing to investigate, to mitigate and
to protect against further disclosure of PHI.
If the breach involves PHI of more than 500 people in a state or jurisdiction, the provider must notify the news media. The provider must give notice as soon as possible but no more than 60 days after the discovery of the breach. Since notice must be given promptly, it is important to have a plan in place to determine when a breach has occurred and the process for notice.
There are several exceptions to the new notification requirements. Notification is not required if PHI is disclosed:
(a) Inadvertently to another member of the provider’s staff for a purpose
within the scope of their employment; or
(b) an unauthorized person in the good faith belief that the
recipient could not retain the PHI.
Note that PHI only includes health information that a provider holds in its role as health care provider, so the notification requirements would not apply to the unauthorized disclosure of health information held by the provider in its capacity as an employer regarding its employees.
The HITECH Act imposes substantial civil penalties for failure to give timely notice of a breach of unsecured PHI. The deadline for complying with these new notice requirements is February 18, 2010.
