I’m first working my way through the provisions in the stimulus bill that relate to breaches and notifications. One of the recommendations that I and other privacy advocates had made was central notification and disclosure on a publicly available web site. They heard us. Here’s part of the new law:
(3) NOTICE TO SECRETARY- Notice shall be provided to the Secretary by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved.
(4) POSTING ON HHS PUBLIC WEBSITE- The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.
I can’t tell (yet) what happens to logs of breaches of unsecured PHI affecting fewer than 500 people that are submitted to HHS in terms of whether they, too, will be posted on the HHS web site. It sounds like they may not get posted, and this only applies to unsecured PHI and not all breaches involving PHI, but it still represents significant progress over what we had under HIPAA and state laws. And this certainly is a boon to those of us to try to track breaches.
Another provision of note concerns individual notice. If the entity cannot contact 10 or more people by mail or other means, then they must use substitute form of notice such as a prominent posting on their web site or a media notice. That provision, too, will also increase our awareness of breaches because under HIPAA, they had no duty to notify patients of breaches, only to mitigate harm.
As to the content of notice, the law specifies:
(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
(2) A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
(3) The steps individuals should take to protect themselves from potential harm resulting from the breach.
(4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
(5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
The first requirement is helpful because it will stop a lot of the “We recently learned” phrases that give us no idea when the entity actually was breached or learned of the breach.
There’s a lot more to the provisions, and I will continue working my way through them. No bill is perfect, but there really are some definite improvements in this law from a privacy advocacy perspective.