Life Sciences Legal Update : Life Sciences Lawyers & Attorneys : Reed Smith Law Firm : Healthcare, Food and Drug Law, Biotechnology, Privacy, Product Liability

HHS has just released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009).  The advance version of the rule can be accessed here; the official version will be published July 14.  A press release should be available later this morning.

Pursuant to the announcement of the proposed rulemaking on the HHS Privacy website, the proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Importantly, HHS has stated that the new HIPAA regulations will not be enforced until 180 days after the final rule has become effective. Comments will be due on or about September 13, 2010.

More to come . . . 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Cynthia O'Donoghue and Anthony S. Traymore

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)).  President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data, including life sciences and health care clients.

To read the full alert, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Health Information Privacy page of the U.S. Department of Health and Human Services (HHS) website has formally announced that regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act will soon be published (along with a comment period) relating to (1) business associate liability; (2) new limitations on the sale of protected health information, marketing and fundraising communications; and (3) stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  Although this posting is certainly welcome news, from a timing perspective the announcement only indicates that "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions." 

Providing further evidence that the HITECH Act provisions relative to covered entities and business associates will not be enforced until after these forthcoming regulations have been finalized, HHS stated that "[a]lthough the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."  The HITECH Act, however, is currently effective, and questions about the effective date for enforcement of the Act's privacy and security requirements may remain until published regulations specifically postpone enforcement.  Additionally, HHS reminds us that the Breach Notification Rule and the revised Enforcement Rule are currently in effect, and that covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH Act. Consistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009. 

• Unknown violations (i.e., if a person did not know and by exercising reasonable due diligence would not have known that a violation occurred): The penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
• Violations due to reasonable cause and not to willful neglect: The penalty shall be at least $1,000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
• Violations due to willful neglect (and the violations have been corrected): The penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
• Violations due to willful neglect (and the violations have not been corrected): The penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

Furthermore, the interim final rule generally amends a covered entity's ability to employ an affirmative defense against an action seeking civil monetary penalties if (i) the covered entity did not have knowledge or constructive knowledge of the violation, and (ii) the violation was not due to reasonable cause and not willful neglect. HHS is also given the authority to waive a civil monetary penalty for violations due to reasonable cause and not willful neglect if the covered entity corrects the violation within 30 days of having knowledge that the violation occurred. 

Comments on this interim final rule will be considered if received by December 29, 2009.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.

On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) issued its interim final rule (“the Rule”) regarding a covered entity’s obligation to notify individuals when their unsecured protected health information (“PHI”) is breached. Furthermore, and depending on the nature of the security breach, the Rule also requires a more global notification whereby covered entities must post information regarding certain breaches in newspapers and on the HHS website.

The HHS Rule is effective on September 23, 2009, however, HHS will not impose sanctions for failure to provide the required notices for breaches that are discoverable before February 22, 2010.

For additional details, read the full alert. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Michael K. Brown, J. Ferd Convery, III, Steven J. Boranian, Brad M. Rostolsky, Shana R. Fried and Paul Bond.

Until now, the loss or theft of protected health information rarely resulted in notice to consumers. Very few state data security breach notification laws encompass medical information. The Health Insurance Portability and Accountability Act ("HIPAA") merely required an "accounting" of such events to a patient upon the patient's request.

All that has changed. Congress, in enacting the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposed breach notification obligations on many of the individuals and business entities that receive, create, or maintain patients' individually identifiable health information. Pursuant to HITECH, on Aug. 17, the Federal Trade Commission ("FTC") issued its Health Breach Notification Rule, governing the breach notification obligations of three new categories of entity: "vendors of personal health records," "PHR related entities" and "third party service providers."

To read the full alert, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link