Breach Notification for Unsecured Protected Health Information, 42740-42770 [E9-20169]

Agencies

• Office of the Secretary
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 74, Number 162 (Monday, August 24, 2009)]
[Rules and Regulations]
[Pages 42740-42770]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-20169]



[[Page 42739]]

-----------------------------------------------------------------------

Part II





Department of Health and Human Services





-----------------------------------------------------------------------



45 CFR Parts 160 and 164



Breach Notification for Unsecured Protected Health Information; Interim 
Final Rule

Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules 
and Regulations

[[Page 42740]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991-AB56


Breach Notification for Unsecured Protected Health Information

AGENCY: Office for Civil Rights, Department of Health and Human 
Services.

ACTION: Interim final rule with request for comments.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS) is issuing 
this interim final rule with a request for comments to require 
notification of breaches of unsecured protected health information. 
Section 13402 of the Health Information Technology for Economic and 
Clinical Health (HITECH) Act, part of the American Recovery and 
Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009, 
requires HHS to issue interim final regulations within 180 days to 
require covered entities under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA) and their business associates to 
provide notification in the case of breaches of unsecured protected 
health information. For purposes of determining what information is 
``unsecured protected health information,'' in this document HHS is 
also issuing an update to its guidance specifying the technologies and 
methodologies that render protected health information unusable, 
unreadable, or indecipherable to unauthorized individuals.

DATES: Effective Date: This interim final rule is effective September 
23, 2009.
    Comment Date: Comments on the provisions of this interim final rule 
are due on or before October 23, 2009. Comments on the information 
collection requirements associated with this rule are due on or before 
September 8, 2009.

ADDRESSES: You may submit comments, identified by RIN 0991-AB56, by any 
of the following methods (please do not submit duplicate comments):
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Attachments should be 
in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft 
Word.
     Regular, Express, or Overnight Mail: U.S. Department of 
Health and Human Services, Office for Civil Rights, Attention: HITECH 
Breach Notification, Hubert H. Humphrey Building, Room 509F, 200 
Independence Avenue, SW., Washington, DC 20201. Please submit one 
original and two copies.
     Hand Delivery or Courier: Office for Civil Rights, 
Attention: HITECH Breach Notification, Hubert H. Humphrey Building, 
Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Please 
submit one original and two copies. (Because access to the interior of 
the Hubert H. Humphrey Building is not readily available to persons 
without federal government identification, commenters are encouraged to 
leave their comments in the mail drop slots located in the main lobby 
of the building.)
    Inspection of Public Comments: All comments received before the 
close of the comment period will be available for public inspection, 
including any personally identifiable or confidential business 
information that is included in a comment. We will post all comments 
received before the close of the comment period at https://www.regulations.gov. Because comments will be made public, they should 
not include any sensitive personal information, such as a person's 
social security number; date of birth; driver's license number, state 
identification number or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. Comments also 
should not include any sensitive health information, such as medical 
records or other individually identifiable health information.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov or U.S. Department 
of Health and Human Services, Office for Civil Rights, 200 Independence 
Avenue, SW., Washington, DC 20201 (call ahead to the contact listed 
below to arrange for inspection).

FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.

SUPPLEMENTARY INFORMATION:

I. Background

    The Health Information Technology for Economic and Clinical Health 
(HITECH) Act, Title XIII of Division A and Title IV of Division B of 
the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-
5), was enacted on February 17, 2009. Subtitle D of Division A of the 
HITECH Act (the Act), entitled ``Privacy,'' among other provisions, 
requires the Department of Health and Human Services (HHS or the 
Department) to issue interim final regulations for breach notification 
by covered entities subject to the Administrative Simplification 
provisions of the Health Insurance Portability and Accountability Act 
of 1996 (HIPAA) (Pub. L. 104-191) and their business associates.
    These breach notification provisions are found in section 13402 of 
the Act and apply to HIPAA covered entities and their business 
associates that access, maintain, retain, modify, record, store, 
destroy, or otherwise hold, use, or disclose unsecured protected health 
information. The Act incorporates the definitions of ``covered 
entity,'' ``business associate,'' and ``protected health information'' 
used in the HIPAA Administrative Simplification regulations (45 CFR 
parts 160, 162, and 164) (HIPAA Rules) at Sec.  160.103. Under the 
HIPAA Rules, a covered entity is a health plan, health care 
clearinghouse, or health care provider that transmits any health 
information electronically in connection with a covered transaction, 
such as submitting health care claims to a health plan. Business 
associate, as defined in the HIPAA Rules, means a person who performs 
functions or activities on behalf of, or certain services for, a 
covered entity that involve the use or disclosure of individually 
identifiable health information. Examples of business associates 
include third party administrators or pharmacy benefit managers for 
health plans, claims processing or billing companies, transcription 
companies, and persons who perform legal, actuarial, accounting, 
management, or administrative services for covered entities and who 
require access to protected health information. The HIPAA Rules define 
``protected health information'' as the individually identifiable 
health information held or transmitted in any form or medium by these 
HIPAA covered entities and business associates, subject to certain 
limited exceptions.
    The Act requires HIPAA covered entities to provide notification to 
affected individuals and to the Secretary of HHS following the 
discovery of a breach of unsecured protected health information. In 
addition, in some cases, the Act requires covered entities to provide 
notification to the media of breaches. In the case of a breach of 
unsecured protected health information at or by a business associate of 
a covered entity, the Act requires the business associate to notify the 
covered entity of the breach. Finally, the Act requires the Secretary 
to post on an HHS Web site a list of covered entities that experience 
breaches of unsecured protected health information involving more than 
500 individuals.

[[Page 42741]]

    Section 13400(1) of the Act defines ``breach'' to mean, generally, 
the unauthorized acquisition, access, use, or disclosure of protected 
health information which compromises the security or privacy of such 
information. The Act provides exceptions to this definition to 
encompass disclosures where the recipient of the information would not 
reasonably have been able to retain the information, certain 
unintentional acquisition, access, or use of information by employees 
or persons acting under the authority of a covered entity or business 
associate, as well as certain inadvertent disclosures among persons 
similarly authorized to access protected health information at a 
business associate or covered entity.
    Further, section 13402(h) of the Act defines ``unsecured protected 
health information'' as ``protected health information that is not 
secured through the use of a technology or methodology specified by the 
Secretary in guidance'' and provides that the guidance specify the 
technologies and methodologies that render protected health information 
unusable, unreadable, or indecipherable to unauthorized individuals. 
Covered entities and business associates that implement the specified 
technologies and methodologies with respect to protected health 
information are not required to provide notifications in the event of a 
breach of such information--that is, the information is not considered 
``unsecured'' in such cases. As required by the Act, the Secretary 
initially issued this guidance on April 17, 2009 (it was subsequently 
published in the Federal Register at 74 FR 19006 on April 27, 2009). 
The guidance listed and described encryption and destruction as the two 
technologies and methodologies for rendering protected health 
information unusable, unreadable, or indecipherable to unauthorized 
individuals.
    In cases in which notification is required, the Act at section 
13402 prescribes the timeliness, content, and methods of providing the 
breach notifications. We discuss these and the above statutory 
provisions in more detail below where we describe section-by-section 
how these new regulations implement the breach notification provisions 
at section 13402 of the Act.
    In addition to the breach notification provisions for HIPAA covered 
entities and business associates at section 13402, section 13407 of the 
Act, which is to be implemented and enforced by the Federal Trade 
Commission (FTC), imposes similar breach notification requirements upon 
vendors of personal health records (PHRs) and their third party service 
providers following the discovery of a breach of security of unsecured 
PHR identifiable health information.\1\ As with the definition of 
``unsecured protected health information,'' the provisions at section 
13407(f)(3) define ``unsecured PHR identifiable health information'' as 
PHR identifiable health information that is not protected through the 
use of a technology or methodology specified by the Secretary of HHS in 
guidance. Thus, entities subject to the FTC breach notification rules 
must also use the Secretary's guidance to determine whether the 
information subject to a breach was ``unsecured'' and, therefore, 
whether breach notification is required.
---------------------------------------------------------------------------

    \1\ The FTC issued a notice of proposed rulemaking to implement 
section 13407 of the Act on April 20, 2009 (74 FR 17914).
---------------------------------------------------------------------------

    When HHS issued the guidance, HHS also published in the same 
document a request for information (RFI), inviting public comment both 
on the guidance itself, as well as on the breach provisions of section 
13402 of the Act generally. After considering the public comment, we 
are issuing an updated version of the guidance in Section II below. In 
addition, we discuss public comment received on the Act's breach 
notification provisions where relevant below in the section-by-section 
description of the interim final rule.
    We have concluded that we have good cause, under 5 U.S.C. 
553(b)(B), to waive the notice-and-comment requirements of the 
Administrative Procedure Act and to proceed with this interim final 
rule. Section 13402(j) explicitly required us to issue these 
regulations as ``interim final regulations'' and to do so within 180 
days. Based on this statutory directive and limited time frame, we 
concluded that notice-and-comment rulemaking was impracticable and 
contrary to public policy. Nevertheless, we sought comments in the RFI 
referenced above and considered those comments when drafting this rule. 
In addition, we provide the public with a 60-day period following 
publication of this document to submit comments on the interim final 
rule.

II. Guidance Specifying the Technologies and Methodologies That Render 
Protected Health Information Unusable, Unreadable, or Indecipherable to 
Unauthorized Individuals

A. Background

    As discussed above, section 13402 of the Act requires breach 
notification following the discovery of a breach of unsecured protected 
health information. Section 13402(h) of the Act defines ``unsecured 
protected health information'' as ``protected health information that 
is not secured through the use of a technology or methodology specified 
by the Secretary in guidance'' and requires the Secretary to specify in 
the guidance the technologies and methodologies that render protected 
health information unusable, unreadable, or indecipherable to 
unauthorized individuals. As required by the Act, this guidance was 
issued on April 17, 2009, and later published in the Federal Register 
on April 27, 2009 (74 FR 19006). The guidance specified encryption and 
destruction as the technologies and methodologies for rendering 
protected health information, as well as PHR identifiable health 
information under section 13407 of the Act and the FTC's implementing 
regulation, unusable, unreadable, or indecipherable to unauthorized 
individuals such that breach notification is not required. The RFI 
asked for general comment on this guidance as well as for specific 
comment on the technologies and methodologies to render protected 
health information unusable, unreadable, or indecipherable to 
unauthorized individuals.
    Many commenters expressed concern and confusion regarding the 
purpose of the guidance and its impact on a covered entity's 
responsibilities under the HIPAA Security Rule (45 CFR part 164, 
subparts A and C). We emphasize that this guidance does nothing to 
modify a covered entity's responsibilities with respect to the Security 
Rule nor does it impose any new requirements upon covered entities to 
encrypt all protected health information. The Security Rule requires 
covered entities to safeguard electronic protected health information 
and permits covered entities to use any security measures that allow 
them to reasonably and appropriately implement all safeguard 
requirements. Under 45 CFR 164.312(a)(2)(iv) and (e)(2)(ii), a covered 
entity must consider implementing encryption as a method for 
safeguarding electronic protected health information; however, because 
these are addressable implementation specifications, a covered entity 
may be in compliance with the Security Rule even if it reasonably 
decides not to encrypt electronic protected health information and 
instead uses a comparable method to safeguard the information.
    Therefore, if a covered entity chooses to encrypt protected health 
information to comply with the Security Rule, does so pursuant to this 
guidance, and subsequently discovers a breach of that

[[Page 42742]]

encrypted information, the covered entity will not be required to 
provide breach notification because the information is not considered 
``unsecured protected health information'' as it has been rendered 
unusable, unreadable, or indecipherable to unauthorized individuals. On 
the other hand, if a covered entity has decided to use a method other 
than encryption or an encryption algorithm that is not specified in 
this guidance to safeguard protected health information, then although 
that covered entity may be in compliance with the Security Rule, 
following a breach of this information, the covered entity would have 
to provide breach notification to affected individuals. For example, a 
covered entity that has a large database of protected health 
information may choose, based on their risk assessment under the 
Security Rule, to rely on firewalls and other access controls to make 
the information inaccessible, as opposed to encrypting the information. 
While the Security Rule permits the use of firewalls and access 
controls as reasonable and appropriate safeguards, a covered entity 
that seeks to ensure breach notification is not required in the event 
of a breach of the information in the database would need to encrypt 
the information pursuant to the guidance.
    We also received several comments asking for clarification and 
additional detail regarding the forms of information and the specific 
devices and protocols described in the guidance. As a result, we 
provide clarification regarding the forms of information addressed in 
the National Institute of Standards and Technology (NIST) publications 
referenced in the guidance. We clarify that ``data in motion'' includes 
data that is moving through a network, including wireless transmission, 
whether by e-mail or structured electronic interchange, while ``data at 
rest'' includes data that resides in databases, file systems, flash 
drives, memory, and any other structured storage method. ``Data in 
use'' includes data in the process of being created, retrieved, 
updated, or deleted, and ``data disposed'' includes discarded paper 
records or recycled electronic media.
    Additionally, many commenters suggested that access controls be 
included in the guidance as a method for rendering protected health 
information unusable, unreadable, or indecipherable to unauthorized 
individuals. We recognize that access controls, as well as other 
security methods such as firewalls, are important tools for 
safeguarding protected health information. While we believe access 
controls may render information inaccessible to unauthorized 
individuals, we do not believe that access controls meet the statutory 
standard of rendering protected health information unusable, 
unreadable, or indecipherable to unauthorized individuals. If access 
controls are compromised, the underlying information may still be 
usable, readable, or decipherable to an unauthorized individual, and 
thus, constitute unsecured protected health information for which 
breach notification is required. Therefore, we have not included access 
controls in the guidance; however, we do emphasize the benefit of 
strong access controls, which may function to prevent breaches of 
unsecured protected health information from occurring in the first 
place.
    Other commenters suggested that the guidance include redaction of 
paper records as an alternative to destruction. Because redaction is 
not a standardized methodology with proven capabilities to destroy or 
render the underlying information unusable, unreadable or 
indecipherable, we do not believe that redaction is an accepted 
alternative method to secure paper-based protected health information. 
Therefore, we have clarified in this guidance that only destruction of 
paper protected health information, and not redaction, will satisfy the 
requirements to relieve a covered entity or business associate from 
breach notification. We note, however, that covered entities and 
business associates may continue to create limited data sets or de-
identify protected health information through redaction if the removal 
of identifiers results in the information satisfying the criteria of 45 
CFR 164.514(e)(2) or 164.514(b), respectively. Further, a loss or theft 
of information that has been redacted appropriately may not require 
notification under these rules either because the information is not 
protected health information (as in the case of de-identified 
information) or because the unredacted information does not compromise 
the security or privacy of the information and thus, does not 
constitute a breach as described in Section IV below.
    In response to comments received, we also make two additional 
clarifications in the guidance. First, for purposes of the guidance 
below and ensuring encryption keys are not breached, we clarify that 
covered entities and business associates should keep encryption keys on 
a separate device from the data that they encrypt or decrypt. Second, 
we also include in the guidance below a note regarding roadmap guidance 
activities on the part of the NIST pertaining to data storage on 
enterprise-level storage devices, such as RAID (redundant array of 
inexpensive disks), or SAN (storage-attached network) systems.
    For ease of reference, we have published this updated guidance in 
this document below; however, it will also be available on the HHS Web 
site at https://www.hhs.gov/ocr/privacy/. Any further comments regarding 
this guidance received in response to the interim final rule will be 
addressed in the first annual update to the guidance, to be issued in 
April 2010.

B. Guidance Specifying the Technologies and Methodologies that Render 
Protected Health Information Unusable, Unreadable, or Indecipherable to 
Unauthorized Individuals

    Protected health information (PHI) is rendered unusable, 
unreadable, or indecipherable to unauthorized individuals if one or 
more of the following applies:
    (a) Electronic PHI has been encrypted as specified in the HIPAA 
Security Rule by ``the use of an algorithmic process to transform data 
into a form in which there is a low probability of assigning meaning 
without use of a confidential process or key'' \2\ and such 
confidential process or key that might enable decryption has not been 
breached. To avoid a breach of the confidential process or key, these 
decryption tools should be stored on a device or at a location separate 
from the data they are used to encrypt or decrypt. The encryption 
processes identified below have been tested by the National Institute 
of Standards and Technology (NIST) and judged to meet this standard.
---------------------------------------------------------------------------

    \2\ 45 CFR 164.304, definition of ``encryption.''
---------------------------------------------------------------------------

    (i) Valid encryption processes for data at rest are consistent with 
NIST Special Publication 800-111, Guide to Storage Encryption 
Technologies for End User Devices.3 4
---------------------------------------------------------------------------

    \3\ NIST Roadmap plans include the development of security 
guidelines for enterprise-level storage devices, and such guidelines 
will be considered in updates to this guidance, when available.
    \4\ Available at https://www.csrc.nist.gov/.
---------------------------------------------------------------------------

    (ii) Valid encryption processes for data in motion are those which 
comply, as appropriate, with NIST Special Publications 800-52, 
Guidelines for the Selection and Use of Transport Layer Security (TLS) 
Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL 
VPNs, or others which are Federal Information Processing Standards 
(FIPS) 140-2 validated.\5\
---------------------------------------------------------------------------

    \5\ Available at https://www.csrc.nist.gov/.

---------------------------------------------------------------------------

[[Page 42743]]

    (b) The media on which the PHI is stored or recorded have been 
destroyed in one of the following ways:
    (i) Paper, film, or other hard copy media have been shredded or 
destroyed such that the PHI cannot be read or otherwise cannot be 
reconstructed. Redaction is specifically excluded as a means of data 
destruction.
    (ii) Electronic media have been cleared, purged, or destroyed 
consistent with NIST Special Publication 800-88, Guidelines for Media 
Sanitization,\6\ such that the PHI cannot be retrieved.
---------------------------------------------------------------------------

    \6\ Available at https://www.csrc.nist.gov/.
---------------------------------------------------------------------------

III. Overview of Interim Final Rule

    We are adding a new subpart D to part 164 of title 45 of the Code 
of Federal Regulations (CFR) to implement the breach notification 
provisions in section 13402 of the Act. These provisions apply to HIPAA 
covered entities and their business associates and set forth the 
requirements for notification to affected individuals, the media, and 
the Secretary of HHS following a breach of unsecured protected health 
information. In drafting this interim final regulation, we considered 
the public comments received in response to the RFI described above.
    In addition, we consulted closely with the FTC in the development 
of these regulations. Commenters in response to both the RFI as well as 
the FTC's notice of proposed rulemaking urged HHS and the FTC to work 
together to ensure that the regulated entities know with which rule 
they must comply and that those entities that are subject to both rules 
because they may operate in different roles are not subject to two 
completely different and inconsistent regulatory schemes. In addition, 
commenters were concerned that individuals could receive multiple 
notices of the same breach if the HHS and the FTC regulations 
overlapped. Thus, HHS coordinated with the FTC to ensure these issues 
were addressed in the respective rulemakings. First, the rules make 
clear that entities operating as HIPAA covered entities and business 
associates are subject to HHS', and not the FTC's, breach notification 
rule. Second, in those limited cases where an entity may be subject to 
both HHS' and the FTC's rules, such as a vendor that offers PHRs to 
customers of a HIPAA covered entity as a business associate and also 
offers PHRs directly to the public, we worked with the FTC to ensure 
both sets of regulations were harmonized by including the same or 
similar requirements, within the constraints of the statutory language. 
See Section IV.F. below for a more detailed discussion and an example 
of our harmonization efforts.

IV. Section-by-Section Description of Interim Final Rule

    The following discussion describes the provisions of the interim 
final rule section by section. Those interested in commenting on the 
interim final rule can assist the Department by preceding discussion of 
any particular provision or topic with a citation to the section of the 
interim final rule being discussed.

A. Applicability--Section 164.400

    Section 164.400 of the interim final rule provides that this breach 
notification rule is applicable to breaches occurring on or after 30 
days from the date of publication of this interim final rule. See 
Section IV.K. Effective/Compliance Date of this rule for further 
discussion.

B. Definitions--Section 164.402

    Section 164.402 of the interim final rule adopts definitions for 
the terms ``breach'' and ``unsecured protected health information.''
1. Breach
    Section 13402 of the Act and this interim final rule require 
covered entities and business associates to provide notification 
following a breach of unsecured protected health information. Section 
13400(1)(A) of the Act defines ``breach'' as the ``unauthorized 
acquisition, access, use, or disclosure of protected health information 
which compromises the security or privacy of the protected health 
information, except where an unauthorized person to whom such 
information is disclosed would not reasonably have been able to retain 
such information.'' Section 13400(1)(B) of the Act provides several 
exceptions to the definition of ``breach.'' Based on section 
13400(1)(A), we have defined ``breach'' at Sec.  164.402 of the interim 
final rule as ``the acquisition, access, use, or disclosure of 
protected health information in a manner not permitted under subpart E 
of this part which compromises the security or privacy of the protected 
health information.'' We have added paragraph (1) to the definition to 
clarify when the security or privacy of information is considered to be 
compromised. Paragraph (2) of the definition then includes the 
statutory exceptions, including the exception within section 
13400(1)(A) that refers to whether the recipient would reasonably have 
been able to retain the information.
Protected Health Information
    We note that the definition of ``breach'' is limited to protected 
health information. With respect to a covered entity or business 
associate of a covered entity, protected health information is 
individually identifiable health information that is transmitted or 
maintained in any form or medium, including electronic information. 45 
CFR 160.103. If information is de-identified in accordance with 45 CFR 
164.514(b), it is not protected health information, and thus, any 
inadvertent or unauthorized use or disclosure of such information will 
not be considered a breach for purposes of this subpart. Additionally, 
Sec.  160.103 excludes certain types of individually identifiable 
health information from the definition of ``protected health 
information,'' such as employment records held by a covered entity in 
its role as employer. If individually identifiable health information 
that is not protected health information is used or disclosed in an 
unauthorized manner, it would not qualify as a breach for purposes of 
this subpart--although the covered entity should consider whether it 
has notification requirements under other laws. Further, we note that 
although the definition of ``breach'' applies to protected health 
information generally, covered entities and business associates are 
required to provide the breach notifications required by the Act and 
this interim final rule (discussed below) only upon a breach of 
unsecured protected health information. See also Section II of this 
document for a list of the technologies and methodologies that render 
protected health information secure such that notification is not 
required in the event of a breach.
Unauthorized Acquisition, Access, Use, or Disclosure
    The statute defines a ``breach'' as the ``unauthorized'' 
acquisition, access, use, or disclosure of protected health 
information. Several commenters asked that we define ``unauthorized'' 
or that we clarify its meaning. We clarify that ``unauthorized'' is an 
impermissible use or disclosure of protected health information under 
the HIPAA Privacy Rule (subpart E of 45 CFR part 164). Accordingly, the 
definition of ``breach'' at Sec.  160.402 of the interim final rule 
interprets the ``unauthorized acquisition, access, use, or disclosure 
of protected health information'' as ``the acquisition, access, use, or 
disclosure of protected health information in a manner not permitted 
under subpart E of this part.'' We emphasize that not all violations of 
the Privacy Rule will be

[[Page 42744]]

breaches under this subpart, and therefore, covered entities and 
business associates need not provide breach notification in all cases 
of impermissible uses and disclosures. We also note that the HIPAA 
Security Rule provides for administrative, physical, and technical 
safeguards and organizational requirements for electronic protected 
health information, but does not govern uses and disclosures of 
protected health information. Accordingly, a violation of the Security 
Rule does not itself constitute a potential breach under this subpart, 
although such a violation may lead to a use or disclosure of protected 
health information that is not permitted under the Privacy Rule and 
thus, may potentially be a breach under this subpart.
    The Act does not define the terms ``acquisition'' and ``access.'' 
Several commenters asked that we define or identify the differences 
between acquisition, access, use, and disclosure of protected health 
information, for purposes of the definition of ``breach.'' We interpret 
``acquisition'' and ``access'' to information based on their plain 
meanings and believe that both terms are encompassed within the current 
definitions of ``use'' and ``disclosure'' in the HIPAA Rules. 
Accordingly, we have not added separate definitions for these terms. We 
have retained the statutory terms in the regulation in order to 
maintain consistency with the statute. In addition, we note that while 
the HIPAA Security Rule at Sec.  164.304 includes a definition of the 
term ``access,'' such definition is limited to the ability to use 
``system resources'' and not to access to information more generally 
and thus, we have revised that definition to make clear that it does 
not apply for purposes of these breach notification rules.
    For an acquisition, access, use, or disclosure of protected health 
information to constitute a breach, it must constitute a violation of 
the Privacy Rule. Therefore, one of the first steps in determining 
whether notification is necessary under this subpart is to determine 
whether a use or disclosure violates the Privacy Rule. We note that 
uses or disclosures that impermissibly involve more than the minimum 
necessary information, in violation of Sec. Sec.  164.502(b) and 
164.514(d), may qualify as breaches under this subpart. In contrast, a 
use or disclosure of protected health information that is incident to 
an otherwise permissible use or disclosure and occurs despite 
reasonable safeguards and proper minimum necessary procedures would not 
be a violation of the Privacy Rule pursuant to 45 CFR 
164.502(a)(1)(iii) and, therefore, would not qualify as a potential 
breach. Finally, violations of administrative requirements, such as a 
lack of reasonable safeguards or a lack of training, do not themselves 
qualify as potential breaches under this subpart (although such 
violations certainly may lead to impermissible uses or disclosures that 
qualify as breaches).
Compromises the Security or Privacy of Protected Health Information
    The Act and regulation next limit the definition of ``breach'' to a 
use or disclosure that ``compromises the security or privacy'' of the 
protected health information. Accordingly, once it is established that 
a use or disclosure violates the Privacy Rule, the covered entity must 
determine whether the violation compromises the security or privacy of 
the protected health information.
    For the purposes of the definition of ``breach,'' many commenters 
suggested that we add a harm threshold such that an unauthorized use or 
disclosure of protected health information is considered a breach only 
if the use or disclosure poses some harm to the individual. These 
commenters noted that the ``compromises the security or privacy'' 
language in section 13400(1)(A) of the Act contemplates that covered 
entities will perform some type of risk assessment to determine if 
there is a risk of harm to the individual, and therefore, if a breach 
has occurred. Commenters urged that the addition of a harm threshold to 
the definition would also align this regulation with many State breach 
notification laws that require entities to reach similar harm 
thresholds before providing notification. Finally, some commenters 
noted that failure to include a harm threshold for requiring breach 
notification may diminish the impact of notifications received by 
individuals, as individuals may be flooded with notifications for 
breaches that pose no threat to the security or privacy of their 
protected health information or, alternatively, may cause unwarranted 
panic in individuals, and the expenditure of undue costs and other 
resources by individuals in remedial action.
    We agree that the statutory language encompasses a harm threshold 
and have clarified in paragraph (1) of the definition that 
``compromises the security or privacy of the protected health 
information'' means ``poses a significant risk of financial, 
reputational, or other harm to the individual.'' This ensures better 
consistency and alignment with State breach notification laws, as well 
as existing obligations on Federal agencies (some of which also must 
comply with these rules as HIPAA covered entities) pursuant to OMB 
Memorandum M-07-16 to have in place breach notification policies for 
personally identifiable information that take into account the likely 
risk of harm caused by a breach in determining whether breach 
notification is required. Thus, to determine if an impermissible use or 
disclosure of protected health information constitutes a breach, 
covered entities and business associates will need to perform a risk 
assessment to determine if there is a significant risk of harm to the 
individual as a result of the impermissible use or disclosure. In 
performing the risk assessment, covered entities and business 
associates may need to consider a number or combination of factors, 
some of which are described below.\7\
---------------------------------------------------------------------------

    \7\ Covered entities may also wish to review OMB Memorandum M-
07-16 for examples of the types of factors that may need to be taken 
into account in determining whether an impermissible use or 
disclosure presents a significant risk of harm to the individual.
---------------------------------------------------------------------------

    Covered entities and business associates should consider who 
impermissibly used or to whom the information was impermissibly 
disclosed when evaluating the risk of harm to individuals. If, for 
example, protected health information is impermissibly disclosed to 
another entity governed by the HIPAA Privacy and Security Rules or to a 
Federal agency that is obligated to comply with the Privacy Act of 1974 
(5 U.S.C. 552a) and the Federal Information Security Management Act of 
2002 (44 U.S.C. 3541 et seq.), there may be less risk of harm to the 
individual, since the recipient entity is obligated to protect the 
privacy and security of the information it received in the same or 
similar manner as the entity that disclosed the information. In 
contrast, if protected health information is impermissibly disclosed to 
any entity or person that does not have similar obligations to maintain 
the privacy and security of the information, the risk of harm to the 
individual is much greater.
    We expect that there may be circumstances where a covered entity 
takes immediate steps to mitigate an impermissible use or disclosure, 
such as by obtaining the recipient's satisfactory assurances that the 
information will not be further used or disclosed (through a 
confidentiality agreement or similar means) or will be destroyed. If 
such steps eliminate or reduce the risk of harm to the individual to a 
less than ``significant risk,'' then we interpret that the security and 
privacy of the

[[Page 42745]]

information has not been compromised and, therefore, no breach has 
occurred.
    In addition, there may be circumstances where impermissibly 
disclosed protected health information is returned prior to it being 
accessed for an improper purpose. For example, if a laptop is lost or 
stolen and then recovered, and a forensic analysis of the computer 
shows that its information was not opened, altered, transferred, or 
otherwise compromised, such a breach may not pose a significant risk of 
harm to the individuals whose information was on the laptop. Note, 
however, that if a computer is lost or stolen, we do not consider it 
reasonable to delay breach notification based on the hope that the 
computer will be recovered.
    In performing a risk assessment, covered entities and business 
associates should also consider the type and amount of protected health 
information involved in the impermissible use or disclosure. If the 
nature of the protected health information does not pose a significant 
risk of financial, reputational, or other harm, then the violation is 
not a breach. For example, if a covered entity improperly discloses 
protected health information that merely included the name of an 
individual and the fact that he received services from a hospital, then 
this would constitute a violation of the Privacy Rule, but it may not 
constitute a significant risk of financial or reputational harm to the 
individual. In contrast, if the information indicates the type of 
services that the individual received (such as oncology services), that 
the individual received services from a specialized facility (such as a 
substance abuse treatment program \8\), or if the protected health 
information includes information that increases the risk of identity 
theft (such as a social security number, account number, or mother's 
maiden name), then there is a higher likelihood that the impermissible 
use or disclosure compromised the security and privacy of the 
information. The risk assessment should be fact specific, and the 
covered entity or business associate should keep in mind that many 
forms of health information, not just information about sexually 
transmitted diseases or mental health, should be considered sensitive 
for purposes of the risk of reputational harm--especially in light of 
fears about employment discrimination.
---------------------------------------------------------------------------

    \8\ Note that an impermissible disclosure that indicates that an 
individual has received services from a substance abuse treatment 
program may also constitute a violation of 42 U.S.C. 290dd-2 and the 
implementing regulations at 42 CFR part 2. These provisions require 
the confidentiality of substance abuse patient records.
---------------------------------------------------------------------------

    We also address impermissible uses and disclosures involving 
limited data sets (as the term is used at 45 CFR 164.514(e) of the 
Privacy Rule), in paragraph (1) of the definition of ``breach'' at 
Sec.  164.402 of the interim final rule. In the RFI discussed above, we 
asked for public comment on whether limited data sets should be 
considered unusable, unreadable, or indecipherable and included as a 
methodology in the guidance. A limited data set is created by removing 
the 16 direct identifiers listed in Sec.  164.514(e)(2) from the 
protected health information.\9\ These direct identifiers include the 
name, address, social security number, and account number of an 
individual or the individual's relative, employer, or household member. 
When these 16 direct identifiers are removed from the protected health 
information, the information is not completely de-identified pursuant 
to 45 CFR 164.514(b). In particular, the elements of dates, such as 
dates of birth, and zip codes, are allowed to remain within the limited 
data set, which increase the potential for re-identification of the 
information. Because there is a risk of re-identification of the 
information within a limited data set, the Privacy Rule treats this 
information as protected health information that may only be used or 
disclosed as permitted by the Privacy Rule.
---------------------------------------------------------------------------

    \9\ A limited data set is protected health information that 
excludes the following direct identifiers of the individual or of 
relatives, employers, or household members of the individual: (1) 
Names; (2) postal address information, other than town or city, 
State, and zip code; (3) telephone numbers; (4) fax numbers; (5) e-
mail addresses; (6) social security numbers; (7) medical record 
numbers; (8) health plan beneficiary numbers; (9) account numbers; 
(10) certificate/license plate numbers; (11) vehicle identifiers and 
serial numbers; (12) device identifiers and serial numbers; (13) Web 
URLs; (14) Internet Protocol (IP) address numbers; (15) biometric 
identifiers, including finger and voice prints; and (16) full face 
photographic images and any comparable images.
---------------------------------------------------------------------------

    Several commenters suggested that the limited data set should not 
be included in the guidance as a method to render protected health 
information unusable, unreadable, or indecipherable to unauthorized 
individuals such that breach notification is not required. These 
commenters cited concerns about the risk of re-identification of 
protected health information in a limited data set and noted that, as 
more data exists in electronic form and as more data becomes public, it 
will be easier to combine these various sources to re-establish the 
identity of the individual. Furthermore, due to the risk of re-
identification, these commenters stated that creating a limited data 
set was not comparable to encrypting information, and therefore, should 
not be included as a method to render protected health information 
unusable, unreadable, or indecipherable to unauthorized individuals.
    The majority of commenters, however, did support the inclusion of 
the limited data set in the guidance. These commenters stated that it 
would be impractical to require covered entities and business 
associates to notify individuals of a breach of information within a 
limited data set because, by definition, such information excludes the 
very identifiers that would enable covered entities and business 
associates, without undue burden, to identify the affected individuals 
and comply with the breach notification requirements. Additionally, 
these commenters cited contractual concerns regarding the data use 
agreement, which prohibits the recipient of a limited data set from re-
identifying the information and therefore, may pose problems with 
complying with the notification requirements of section 13402(b) of the 
Act.
    These commenters also noted that the decision to exclude the 
limited data set from the guidance, such that a breach of a limited 
data set would require breach notification, would reduce the likelihood 
that covered entities would continue to create and share limited data 
sets. This, in turn, would have a chilling effect on the research and 
public health communities, which rely on receiving information from 
covered entities in limited data set form.
    Finally, commenters noted that the removal of the 16 direct 
identifiers in the limited data set presents a minimal risk of serious 
harm to the individual by limiting the possibility that the information 
could be used for an illicit purpose if breached. These commenters also 
suggested that the inclusion of the limited data set in the guidance 
would align with most state breach notification laws, which, as a 
general matter, only require notification when certain identifiers are 
exposed and when there is a likelihood that the breach will result in 
harm to the individual.
    We also asked commenters if they believed that the removal of an 
individual's date of birth or zip code, in addition to the 16 direct 
identifiers in 45 CFR 164.514(e)(2), would reduce the risk of re-
identification of the information such that it could be included in the 
guidance. Several commenters responded to this question. While some 
stated that the removal of these data elements would render the

[[Page 42746]]

information useless to the research and public health communities, 
which may, for example, require zip codes for many population based 
studies, many commenters did acknowledge that the removal of these 
additional identifiers would reduce the risk of re-identification of 
the information.
    After considering these comments, we decided against including the 
limited data set in the guidance as a method for rendering protected 
health information unusable, unreadable, or indecipherable to 
unauthorized individuals due to the potential risk of re-identification 
of this information. However, we address breaches of limited data sets 
in the definition of ``breach'' as follows.
    Under the definition of ``breach'' at Sec.  164.402, in order to 
determine whether a covered entity's or business associate's 
impermissible use or disclosure of protected health information 
constitutes a breach, the covered entity or business associate will 
need to perform the risk assessment discussed above. This applies to 
impermissible uses or disclosures of protected health information that 
constitute a limited data set, unless, as discussed below, the 
protected health information also does not include zip codes or dates 
of birth. In performing the risk assessment to determine the likely 
risk of harm caused by an impermissible use or disclosure of a limited 
data set, the covered entity or business associate should take into 
consideration the risk of re-identification of the protected health 
information contained in the limited data set.
    Through a risk assessment, a covered entity or business associate 
may determine that the risk of identifying a particular individual is 
so small that the use or disclosure poses no significant risk of harm 
to any individuals. For example, it may be determined that an 
impermissible use or disclosures of a limited data set that includes 
zip codes, based on the population features of those zip codes, does 
not create a significant risk that a particular individual can be 
identified. Therefore, there would be no significant risk of harm to 
the individual. If there is no significant risk of harm to the 
individual, then no breach has occurred and no notification is 
required. If, however, the covered entity or business associate 
determines that the individual can be identified based on the 
information disclosed, and there is otherwise a significant risk of 
harm to the individual, then breach notification is required, unless 
one of the other exceptions discussed below applies.
    We have provided a narrow, explicit exception to what compromises 
the privacy or security of protected health information for a use or 
disclosure of protected health information that excludes the 16 direct 
identifiers listed at 45 CFR 164.514(e)(2) as well as dates of birth 
and zip codes. Thus, we deem an impermissible use or disclosure of this 
information to not compromise the security or privacy of the protected 
health information, because we believe that impermissible uses or 
disclosures of this information--if subjected to the type of risk 
assessment described above--would pose a low level of risk. We 
emphasize that this is a narrow exception. If, for example, the 
information does not contain birth dates but does contain zip code 
information or contains both birth dates and zip code information, then 
this narrow exception would not apply, and the covered entity or 
business associate would be required to perform a risk assessment to 
determine if the risk of re-identification poses a significant risk of 
harm to the individual. We invite comments on this narrow exception. We 
do not believe that this narrow exception will have the unintended 
consequence of discouraging the use of encryption and other methods for 
rendering protected health information unusable, unreadable, or 
indecipherable; however, we invite comments on this issue as well. 
Finally, we note that this narrow exception should not be construed as 
encouraging or permitting the use or disclosure of more than the 
minimum necessary information, in violation of Sec. Sec.  164.502(b) 
and 164.514(d).
    We do not intend to interfere with research or public health 
activities that rely on dates of birth or zip codes. Uses and 
disclosures of limited data sets that include this information continue 
to be permissible under the Privacy Rule if the applicable 
requirements, such as a data use agreement, are satisfied. Further, we 
note that a covered entity or business associate is not responsible for 
a breach by a third party to whom it permissibly disclosed protected 
health information, including limited data sets, unless the third party 
received the information in its role as an agent of the covered entity 
or business associate. To the extent that a third party recipient of 
the information is itself a covered entity, and the information is 
breached while at the third party (i.e., used or disclosed in an 
impermissible manner and in a manner determined to compromise the 
privacy or security of the information), then the third party will be 
responsible for complying with the provisions of this interim final 
rule. In cases where a covered entity is the recipient of a limited 
data set pursuant to Sec.  164.514(e) of the Privacy Rule and it is 
unable to re-identify the individuals after a breach occurs, it may 
satisfy the requirements of Sec.  164.404 without re-identifying the 
information, by providing substitute notice to the individuals as 
required by paragraph (d)(2) of that section.
    We note that the discussion above regarding ``limited data sets'' 
applies to any protected health information that excludes the 16 direct 
identifiers listed at Sec.  164.514(e)(2), regardless of whether the 
information is used for health care operations, public health, or 
research purposes (see Sec.  164.514(e)(3)(i)), and is subject to a 
data use agreement under Sec.  164.514(e) of the Privacy Rule. Thus, 
for example, a covered entity that impermissibly uses or discloses data 
that is stripped of the 16 direct identifiers described above, zip 
codes, and dates of birth, may take advantage of the exception to what 
is a breach, regardless of the intended purpose of the use or 
disclosure or whether a data use agreement was in place.
    With respect to any type of protected health information, we note 
that Sec.  164.414, discussed below, gives covered entities and 
business associates the burden of demonstrating that no breach has 
occurred because the impermissible use or disclosure did not pose a 
significant risk of harm to the individual. Covered entities and 
business associates must document their risk assessments, so that they 
can demonstrate, if necessary, that no breach notification was required 
following an impermissible use or disclosure of protected health 
information. For impermissible uses or disclosures of protected health 
information that fall under the narrow exception at paragraph (1)(ii) 
of this definition, which do not qualify as breaches because the 
protected health information is a limited data set that does not 
include zip codes or dates of birth, documentation that demonstrates 
that the lost information did not include these identifiers will 
suffice.
Exceptions to Breach
    Section 13400(1) of the Act also includes three exceptions to the 
definition of ``breach'' that encompass situations Congress clearly 
intended to not constitute breaches: (1) Unintentional acquisition, 
access, or use of protected health information by an employee or 
individual acting under the authority of a covered entity or business 
associate (section 13400(1)(B)(i)); (2) inadvertent disclosure of 
protected health information from one person

[[Page 42747]]

authorized to access protected health information at a covered entity 
or business associate to another person authorized to access protected 
health information at the covered entity or business associate (section 
13400(1)(B)(ii) and (iii)); and (3) unauthorized disclosures in which 
an unauthorized person to whom protected health information is 
disclosed would not reasonably have been able to retain the information 
(section 13400(1)(A)). We have included these three exceptions as 
paragraphs (2)(i), (ii), and (iii), respectively.
    The first regulatory exception at paragraph (2)(i) of this 
definition, for unintentional acquisition, access, or use of protected 
health information, generally mirrors the exception in section 
13400(1)(B)(i) of the Act. This statutory section excepts from the 
definition of ``breach'' the unintentional acquisition, access, or use 
of protected health information by an employee or individual acting 
under the authority of a covered entity or a business associate, if the 
acquisition, access, or use was made in good faith, within the course 
and scope of employment or other professional relationship, and does 
not result in further use or disclosure.
    We modified the statutory language to use ``workforce members'' 
instead of employees. Workforce member is a defined term in 45 CFR 
160.103 and means ``employees, volunteers, trainees, and other persons 
whose conduct, in the performance of work for a covered entity, is 
under the direct control of such entity, whether or not they are paid 
by the covered entity.''
    A person is acting under the authority of a covered entity or 
business associate if he or she is acting on its behalf. This may 
include a workforce member of a covered entity, an employee of a 
business associate, or even a business associate of a covered entity. 
Similarly, to determine whether the access, acquisition, or use was 
made ``within the scope of authority,'' the covered entity or business 
associate should consider whether the person was acting on its behalf 
at the time of the inadvertent acquisition, access, or use.
    Additionally, while the statutory language provides that this 
exception applies where the recipient does not further use or disclose 
the information, we have interpreted this exception as encompassing 
circumstances where the recipient does not further use or disclose the 
information in a manner not permitted under the Privacy Rule. In 
circumstances where any further use or disclosure of the information is 
permissible under the Privacy Rule, we interpret that there is no 
breach because the security and privacy of the information has not been 
compromised by any such permissible use or disclosure.
    To illustrate this exception, we offer the following example. A 
billing employee receives and opens an e-mail containing protected 
health information about a patient which a nurse mistakenly sent to the 
billing employee. The billing employee notices that he is not the 
intended recipient, alerts the nurse of the misdirected e-mail, and 
then deletes it. The billing employee unintentionally accessed 
protected health information to which he was not authorized to have 
access. However, the billing employee's use of the information was done 
in good faith and within the scope of authority, and therefore, would 
not constitute a breach and notification would not be required, 
provided the employee did not further use or disclose the information 
accessed in a manner not permitted by the Privacy Rule.
    In contrast, a receptionist at a covered entity who is not 
authorized to access protected health information decides to look 
through patient files in order to learn of a friend's treatment. In 
this case, the impermissible access to protected health information 
would not fall within this exception to breach because such access was 
neither unintentional, done in good faith, nor within the scope of 
authority.
    The second regulatory exception, at paragraph (2)(ii) of this 
definition, covers inadvertent disclosures and generally mirrors the 
exception provided in section 13400(1)(B)(ii) and (iii) of the Act, 
with slight modifications. The statute excepts from the definition of 
``breach'' inadvertent disclosures from an individual who is otherwise 
authorized to access protected health information at a facility 
operated by a covered entity or business associate to another similarly 
situated individual at the same facility if the information is not 
further used or disclosed without authorization. We have modified the 
statutory language slightly to except from breach inadvertent 
disclosures of protected health information from a person who is 
authorized to access protected health information at a covered entity 
or business associate to another person authorized to access protected 
health information at the same covered entity, business associate, or 
organized health care arrangement in which the covered entity 
participates. Organized health care arrangement is defined by the HIPAA 
Rules to mean, among other things, a clinically integrated care setting 
in which individuals typically receive health care from more than one 
health care provider.\10\ See 45 CFR 160.103. This includes, for 
example, a covered entity, such as a hospital, and the health care 
providers who have staff privileges at the hospital.
---------------------------------------------------------------------------

    \10\ 45 CFR 160.103 also defines ``organized health care 
arrangement'' to include ``an organized system of health care in 
which more than one covered entity participates'' and in which the 
participating covered entities engage in certain joint utilization 
review, quality assessment and improvement, or payment activities. 
In addition, the definition encompasses certain relationships 
between group health plans and health insurance issuers or health 
maintenance organizations (HMO), as well as relationships among 
group health plans which are maintained by the same plan sponsor.
---------------------------------------------------------------------------

    We received several comments with respect to this exception, and 
many commenters asked that we clarify and explain the statutory 
language regarding what it means to be a ``similarly situated 
individual'' and what constitutes the ``same facility'' for purposes of 
this exception. We believe that a ``similarly situated individual,'' 
for purposes of the statute, means an individual who is authorized to 
access protected health information, and thus, for clarity, we have 
substituted this language for the statutory language in the regulation. 
Thus, a person who is authorized to access protected health information 
is similarly situated, for purposes of this regulation, to another 
person at the covered entity, business associate of the covered entity, 
or organized health care arrangement in which the covered entity 
participates, who is also authorized to access protected health 
information (even if the two persons may not be authorized to access 
the same types of protected health information). For example, a 
physician who has authority to use or disclose protected health 
information at a hospital by virtue of participating in an organized 
health care arrangement with the hospital is similarly situated to a 
nurse or billing employee at the hospital. In contrast, the physician 
is not similarly situated to an employee at the hospital who is not 
authorized to access protected health information.
    Additionally, we have interpreted ``same facility'' to mean the 
same covered entity, business associate, or organized health care 
arrangement in which the covered entity participates and have 
substituted this language in the regulation. By focusing on the legal 
entity or status of the entities as an organized health care 
arrangement when interpreting ``same facility,'' we believe we have 
more clearly captured the intent of the statute and have also 
alleviated commenter concerns that the term ``facility'' was too 
narrow. Therefore, the size of the covered entity,

[[Page 42748]]

business associate, or organized health care arrangement will dictate 
the scope of this exception. If a covered entity has a single location, 
then the exception will apply to disclosures between a workforce member 
and, e.g., a physician with staff privileges at that single location. 
However, if a covered entity has multiple locations across the country, 
the same exception will apply even if the workforce member makes the 
disclosure to a physician with staff privileges at a facility located 
in another state.
    We interpret the statutory limitation that the information not be 
``further acquired, accessed, used, or disclosed without 
authorization'' as meaning that the information is not further used or 
disclosed in a manner not permitted by the Privacy Rule. Thus, this 
exception encompasses circumstances in which a person who is authorized 
to use or disclose protected health information within a covered 
entity, business associate, or organized health care arrangement 
inadvertently discloses that information to another person who is 
authorized to use or disclose protected health information within the 
same covered entity, business associate, or organized health care 
arrangement, as long as the recipient does not further use or disclose 
the information in violation of the Privacy Rule.
    The final regulatory exception to breach at paragraph (2)(iii) of 
this definition mirrors the exception found in section 13400(1)(A) of 
the Act. The statute excepts from the definition of ``breach