The American Recovery and Reinvestment Act, signed into law on February 17, included the Health Information Technology for Economic and Clinical Health Act (HITECH), which expands covered-entity and business-associate requirements established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The HITECH Act contains electronic health record incentives and also expands covered entity and business-associate requirements under the Health Insurance Portability and Accountability Act of 1996 as amended (HIPAA) and the supporting privacy and security rules safeguarding protected health information (PHI).
In turn, the HITECH Act required the Department of Health and Human Services (HHS) to publish interim final regulations (rules) on notification in the case of a PHI security breach. HHS published the rules in the Federal Register August 24, 2009.
Security-breach notification obligations apply only to breaches of unsecured PHI, as defined in the rules. Upon becoming aware of an incident involving a breach of PHI, the pharmacy or business associate will need to determine whether the incident triggers the obligation to notify the affected individuals, HHS, and in some cases the media.
The rules call for a three-step process. The first step is to determine whether there has been an impermissible use or disclosure under HIPAA provisions. The second step requires performance of a risk assessment to determine and document whether the impermissible use or disclosure compromised the privacy or security of the PHI. The third step requires a determination of whether the incident falls within one of three regulatory exceptions that will not trigger the notification obligation.
Upon discovery of a breach of unsecured PHI, the pharmacy is required to notify each individual whose unsecured PHI has been used or disclosed as a result of the security breach, in the manner set forth by the rules.
The rules set forth additional obligations to report to HHS and in some cases to the media. If a breach involves more than 500 residents of any state, the pharmacy will be required to notify prominent media outlets in the state. Notification may be undertaken in a variety of ways set forth in the rules.
A business associate who discovers a breach will be required to notify the pharmacy. It is important to note that a business associate's discovery of a breach could be imputed to the pharmacy if the business associate is deemed to be an agent of the pharmacy, causing the pharmacy's notice period to begin when the business associate discovers the breach, rather than when the business associate notifies the pharmacy of the breach.
On the other hand, if the business associate is an independent contractor and not an agent, the notice period for the pharmacy to report a breach discovered by the business associate would begin when the business associate notifies the pharmacy of the breach, unless the pharmacy had previously discovered the breach.
Some ambiguity exists regarding whether the HITECH Act and the rules require existing HIPAA business-associate agreements to be amended. Amending such agreements to incorporate appropriate security-breach safeguards is the more cautious approach. Moreover, it will be in the interest of pharmacies to include specific security-breach provisions in their business-associate agreements.
The rules took effect September 23, 2009. However, HHS acknowledged that it will take time to amend and implement policies, procedures, and systems needed in order to comply with the rules. Therefore, HHS indicated that it will use enforcement discretion and not impose sanctions for breaches discovered prior to February 22, 2010.
In light of the interim nature of the rules, it is also possible that some changes could be made. Until then, however, pharmacies should make sure they are compliant with the rules.
Ned Milenkovichis a member at McDonald Hopkins LLC, where he chairs the Drug & Pharmacy Group. He is also a member of the Illinois State Board of Pharmacy. He can be reached at 312-642-1480 or by e-mail at firstname.lastname@example.org