On Aug. 24, the Department of Health and Human Services (HHS) issued its Interim Final Rule on Breach Notification for Unsecured Protected Health Information (referred to in this article as the HHS Rule). The rule, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, requires HIPAA-covered entities to notify HHS and the affected individuals upon discovering a breach of unsecured protected health information (PHI).
If a business associate of a covered entity discovers a breach of unsecured PHI, it must notify the covered entity so it can fulfill its own notice requirement. In each case, the discovery of a breach starts the clock running for notification. Notice must be given "without unreasonable delay," and in all events within 60 days, after discovery of the breach. The HHS Rule went into effect Wednesday.
'Should have known' is the same as knowing
Although the HHS Rule has been the focus of much discussion in recent weeks, a curious aspect of the rule with significant legal and compliance implications has gone largely unnoticed. Determining when a breach has been discovered is of crucial importance, since, as mentioned above, a covered entity or business associate has at most 60 days to provide the required notice. The HHS Rule states that a breach is "discovered" on the first day it is known -- or by exercising reasonable diligence would have been known -- to any person, other than the person committing the breach, who is a "workforce member or agent" of the covered entity (or an "employee, officer, or other agent" of the business associate, which amounts to the same thing).
This by itself sets a difficult standard, since a "workforce member" (or an "employee" of a business associate) can include a janitor or a summer intern, i.e., it does not have to be a managerial employee or, indeed, anyone who normally exercises responsibility or authority in connection with PHI.
Furthermore, "discovery" does not even require actual knowledge of a breach -- if the janitor or summer intern had some inkling that something was wrong and would have found out about the breach if they had asked questions or notified a supervisor instead of leaving work five minutes early, then the organization has "discovered" the breach for purposes of the notice timing requirement, even if no one actually learns of the breach for days or weeks afterward. The HHS Rule's position that any member of an organization knows something at the moment he "should have known" it, combined with its attribution of that "constructive" knowledge to the entire organization, creates a major compliance headache. When was the last time any organization ever enjoyed perfect and instantaneous communication?
Who is an agent?
Knowledge (whether actual or constructive) is attributed to an organization not only from its workforce members or employees, but also from its agents. Agent has a well-settled legal meaning in state law, namely, any person or entity who is authorized to act on behalf of another person or entity.
However, the HHS Rule contains a twist: Whether or not someone is an "agent" of a covered entity or business associate will be "determined in accordance with the federal common law of agency." To understand why this is significant requires a quick legal explanation. In matters where no federal statute, regulation or constitutional provision is being interpreted, a federal court adjudicating a dispute will apply federal rules of evidence and civil or criminal procedure but will apply state law doctrines to guide its analysis of age-old common-law issues like torts, contracts and agency (i.e., whether or not someone is an agent and their actions can legally bind their alleged principal). Therefore, when we use traditional legal doctrines to determine whether or not an agent-principal relationship exists, these doctrines are creations of state common law.
The HHS Rule, however, invokes the federal common law of agency, which has only really begun to develop in earnest over the past decade, mostly in connection with the Employee Retirement Income Security Act (ERISA) cases analyzing, for example, whether an employer is an agent of an insurance carrier for purposes of accepting employee benefit elections and beneficiary designations (if it is, then elections and designations accepted by the employer will be binding on the carrier).
The HHS commentary accompanying the rule repeats the "federal common law of agency" reference several times and notes that it is consistent with existing HIPAA rules but provides no further explanation. Without a clear-cut "federal common law of agency," then, there is the potential for much confusion and litigation over whether a contractor or other nonemployee of a HIPAA-covered entity or business associate is an "agent" for purposes of discovering a breach of PHI.
Gazing into our crystal ball, when is it likely that someone will be considered an agent of another person under federal common law? Analogizing from the ERISA cases, if a HIPAA-covered entity or business associate delegates significant administrative duties to a contractor or service provider, that party has a good chance of being held an agent, especially since no one but the covered entity or business associate will be in a position to control its activities and holding it to be an agent would provide the principal with an incentive to exercise greater monitoring and oversight (a result that seems to promote HIPAA's objective of protecting individuals and improving the security of PHI).
At the same time, the HHS Rule's imputation of knowledge from agents to principals could be extremely attenuated -- for example, if a low-level employee at a service provider is tipped off about a security incident but fails to report it, then the service provider may be deemed to have "discovered" the breach, and if it is an agent of the covered entity, its discovery could be instantaneously imputed to the covered entity and set the clock for notice running.
Compliance lessons: Communication is key
What practical compliance lessons can be drawn from this analysis? Clearly, a covered entity or business associate, if it has not already done so, must include in its information security program a policy that all data breaches and suspicious circumstances (examples of which, like unusual database usage patterns, should be given in the policy) must be immediately reported to a designated member of the organization.
With knowledge of security incidents imputed across a diverse array of employees and service providers ... organizations that hold or access PHI will have to start working on their communication.
All employees and on-site contractors must be trained in the policy upon implementation and thereafter at periodic intervals. The emphasis on reporting suspicious circumstances, not just detected breaches, is critical, since an organization will be deemed to have knowledge of a breach for purposes of notice timing from the very first day that any of its employees or agents are tipped off about a possible security incident.
Training is a central theme in the HHS Rule. The rule itself provides that a covered entity "must train all members of its workforce on the policies and procedures with respect to [PHI] … as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity." In its commentary, HHS emphasizes the need to "implement reasonable systems for the discovery of breaches" and that covered entities "should ensure their workforce members and other agents are adequately trained and aware of the importance of timely reporting of privacy and security incidents and of the consequences of failing to do so." Accordingly, the data breach reporting policy should state that failure to comply may result in disciplinary action, up to and including termination.
The policy should also be communicated to any service providers with access to PHI. They should be required by contract or contract amendment to acknowledge the policy, agree to comply with the HHS Rule, and immediately report any breaches or suspicious circumstances through the designated channels, as well as cooperate with the organization in investigating any breaches or suspicious circumstances.
With knowledge of security incidents imputed across a diverse array of employees and service providers, and with the parameters of agency under federal common law unclear, organizations that hold or access PHI will have to start working on their communication -- fast.
Andrew M. Baer is an attorney and founder of Baer Business Law LLC, a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. Baer can be contacted at firstname.lastname@example.org or @BaerBizLaw on Twitter.