Flipping the Presumption: Any disclosure is a breach unless proven otherwise

The Department of Health and Human Service (HHS) and the Federal Trade Commission (FTC) Breach Regulations presume that all unauthorized disclosures are breaches. Anyone who discloses information much be able to demonstrate compliance with HHS Security Guidance to establish that no breach occurred.

American Recovery and Reinvestment Act of 2009 (ARRA) provisions on health information technology (known as HITECH for the acronym deficient) defines the term “breach” to mean “the unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of such information….” HITECH section 13400(1) Privacy and security are presumed under the ARRA (www.recovery.gov).

Contrary to the ARRA, however, the recently published FTC (www.ftc.gov) regulations, and the companion interim final regulations from the Department of Health and Human Services (HHS) on breach notification and security of health information, flip the presumption.

The FTC defines breach of PHR identifiable information to mean acquisition “without the authorization of the individual.” Unauthorized acquisition shall be presumed to include unauthorized access…unless the vendor, PHR related entity or third party service provider that experienced the breach has reliable evidence showing that there has not been or could not reasonably have been, unauthorized acquisition of such information. 16 CFR §318.2 (emphasis added)

Likewise, the HHS Interim Final rulemaking provides that in the event of an unauthorized or impermissible use or disclosure a covered entity or business associate “shall have the burden of demonstrating that… the disclosure did not constitute a breach…” 45 CFR §164.414 (emphasis added)

Why is this important? The ordinary use and disclosure of health information involves frequent transmissions to the incorrect recipient, or to an unidentified recipient. Under the FTC and HHS rules, once information falls into the wrong recipient’s hands, it is considered breached whether or not it actually is viewed by the wrong person, and all the notification provisions and potential penalties apply. Effectively, there is a presumption of guilt which the entity which has data at rest, in motion, in use or not yet destroyed, must overcome.

How to Protect Your Interests? The new compliance imperative is to document how information is secured. Moreover, the method of security should meet the standards approved in the HHS guidelines published April 17, 2009. That guidance identifies the technologies and methodologies that render PHI “unusable, unreadable or indecipherable to unauthorized individuals.” The Guidance specifies those standards published by the National Institute of Standards and Technology, and include detailed provisions on encryption.

Whom to contact? For Help establishing an appropriate compliance program to address this and other privacy and security issues, please contact me at [email protected].