HIPAA Security Breach Notification Rule Takes Effect September 23

Reviews
Shared by: DLA Piper
Categories
Tags
Stats
views:
459
rating:
not rated
reviews:
0
posted:
9/2/2009
language:
English
pages:
0
DLA Piper | Publications | HIPAA security breach notification rule takes effect Septembe... Page 1 of 3 NEWS & INSIGHTS Publications 2 SEP 2009 HIPAA security breach notification rule takes effect September 23 HEALTH CARE ALERT Deborah L. Gersh Robyn L. Sterling The US Department of Health and Human Services (HHS) has issued the interim final rule regarding notification of breaches of unsecured protected health information under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new rule, issued in late August and taking effect September 23, 2009, clarifies key concepts pertaining to covered entity and business associate obligations when a breach of unsecured protected health information occurs. The rule further specifies the technologies and methodologies that render protected health information (PHI) unusable, unreadable or indecipherable to unauthorized individuals, and therefore exempt from the notice requirements. Business Associate Liability and Compliance Obligations The American Reinvestment and Recovery Act of 2009 (ARRA) modifies the existing HIPAA framework by also requiring business associates to directly comply with the HIPAA Security Rule provisions on administrative, physical and technical safeguards. All Business Associate Agreements must reflect the business associate’s new obligations. Additionally, ARRA may now impose sanctions on business associates that fail to comply with the HIPAA Privacy Rule. In short, and in addition to any specific contractual liability, in the event of a breach by the business associate, the business associate is now statutorily required to take steps to mitigate any damages to covered entities, including health care organizations and individuals whose unsecured PHI was http://www.dlapiper.com/hipaa-security-breach-notification-rule-takes-effect-september-23/ 9/2/2009 DLA Piper | Publications | HIPAA security breach notification rule takes effect Septembe... Page 2 of 3 compromised. Breach Notification Requirement The new rule requires notification to individuals and to HHS for breaches of unsecured PHI. Unsecured PHI is any PHI that is not secured through a technology or methodology specified by HHS. The recently published HHS regulations require covered entities to promptly notify (no later than 60 calendar days from the date of discovery) affected individuals of a breach. For breaches affecting fewer than 500 people, written notification must be provided to individuals via first-class mail. For a breach affecting more than 500 individuals, the covered entity must contact a prominent media to provide notice of a breach such as a press release, in addition to providing notice to HHS. Notice Requirements. The rule states that the requirements for providing notice must include: All information written in plain language; A brief description of what happened; A description of the types of unsecured PHI that were involved in the breach; Steps that individuals should take to protect themselves; A brief description of the action the covered entity or business associate is taking to investigate and mitigate harm; and For affected individuals with questions or concerns, contact procedures. Contact information must include a toll-free number, an e-mail address, a website OR a postal address. Risk Assessment. The rule clarifies that the privacy and security of PHI is compromised and the notification requirement is triggered only if the acquisition, access, use or disclosure of the information poses a significant risk of financial, reputational or other harm to the individual. The covered entity or business associate must conduct a risk assessment and determine whether a significant risk to the individual exists. Factors to consider include who impermissibly used or obtained the information, the type of information involved, whether the covered entity took immediate steps that eliminated or reduced the risk of harm and whether the information was returned prior to being used for an improper purpose. Federal Rules Preempt State Rules HHS carefully noted that covered entities must comply with both state and federal HIPAA regulations unless a covered entity finds it impossible to comply with both. In that case, the covered entity must meet the federal HIPAA requirements. It is expected that, on most occasions, covered entities will be capable of complying with both applicable state breach notification laws and the HIPAA security breach notification rule. Security Guidance: Use Encryption, Destroy Paper Records HHS affirmed that the only method to render electronic protected health information unusable, unreadable or indecipherable to unauthorized persons is through encryption. HHS relies on the detail encryption guidance from the National Institute of Standards and Technology. Therefore, when a covered entity is the subject of a data breach, but the data is appropriately encrypted, http://www.dlapiper.com/hipaa-security-breach-notification-rule-takes-effect-september-23/ 9/2/2009 DLA Piper | Publications | HIPAA security breach notification rule takes effect Septembe... Page 3 of 3 federal breach notification requirements and the vast majority of state breach notification requirements will not be triggered. With respect to information in non-electronic formats, HHS stated that only destruction of paper records, and not redaction, will meet the requirements to avoid breach notification. HHS takes the position that covered entities can encrypt or destroy: Data in motion—data that is moving through a network; Data at rest—data in databases, file systems, flash drives, memory and any other storage method; and Data disposed—discarded paper records or recycled electronic media. At present, the guidance is somewhat unclear about how to address data in use, which are data in the process of being created, retrieved, updated or deleted. Act Quickly to Comply Organizations must act quickly to implement policies and procedures to comply the new rule. Organizations should: Identify sources of unsecured PHI. Determine how to secure PHI to avoid having to provide breach notifications. Develop policies and procedures regarding securing PHI. Develop policies and procedures for breach notifications. Assign responsibility for drafting and approving breach notices. Revise business associate agreements to address breach notice obligations. Train workforce members regarding the new breach notice. Rule Becomes Effective September 23, 2009 The rule will take effect September 23, 2009. However, HHS has stated that the first six months after the rule takes effect will be a period in which HHS will not impose sanctions for violations. Instead, HHS will work with covered entities and business associates through technical assistance and voluntary corrective actions. To review the rule, click here. http://www.dlapiper.com/hipaa-security-breach-notification-rule-takes-effect-september-23/ 9/2/2009

Shared by: DLA Piper
Other docs by DLA Piper
Global focus on tax enforcement initiatives
Views: 7  |  Downloads: 0
Australia: more regulation from down under
Views: 2  |  Downloads: 0
Senator Dodd proposes fundamental reforms to regulation of the US financial system
Views: 11  |  Downloads: 0
FDA public meeting on Internet promotion: regulated content meets emerging technologies
Views: 9  |  Downloads: 0
Proposed Federal Reserve guidance on incentive compensation policies of financial institutions
Views: 11  |  Downloads: 0
New FMLA Leave Entitlements
Views: 4  |  Downloads: 0
Summary of 2009 Legislative Proposals Regarding Corporate Governance
Views: 7  |  Downloads: 0
Will your gift card program comply with new federal laws?
Views: 43  |  Downloads: 0
New French recommendation for sending personal data for US discovery
Views: 27  |  Downloads: 0
City of Chicago and State of Illinois enact changes in lobbyist rules
Views: 46  |  Downloads: 0
When is a blog a sponsored endorsement? FTC revises testimonial guidelines to cover consumer-generated content
Views: 45  |  Downloads: 0
The Long Arm of the US Government: the Harsh New Reality for Foreign Banks
Views: 2  |  Downloads: 0
Second Circuit Allows Tort Action Against Utilities to Proceed Based on Greenhouse Gas Emissions
Views: 8  |  Downloads: 0
SEC Updates Regulation FD Guidance
Views: 46  |  Downloads: 0
IRS Issues Much-Needed Guidance on Election to Defer COD Income
Views: 62  |  Downloads: 0
Related docs
HIPAA Training
Views: 618  |  Downloads: 63
Hipaa
Views: 10  |  Downloads: 2
Breach FAQs
Views: 2  |  Downloads: 0
UPDATE ON THE BREACH OF DATA SECURITY AT THE
Views: 4  |  Downloads: 0
HIPAA PRIVACY RULE
Views: 2  |  Downloads: 0
SUMMARY OF THE HIPAA PRIVACY RULE
Views: 20  |  Downloads: 0
CHART YOUR HIPAA COURSE . . .
Views: 0  |  Downloads: 0
HIPAA Related Information Security Concerns In Health Care 1 HIPAA
Views: 0  |  Downloads: 0
R911002 Health Breach Notification Form
Views: 19  |  Downloads: 1