ONC Tiger Team Takes a Bite Out of the Proposed Access Report Rule

This post was written by Jennifer Pike and Brad Rostolsky

The Privacy and Security Tiger Team (“Tiger Team”), a subcommittee of the Office of the National Coordinator for Health IT’s HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services (“OCR”) abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information (“PHI”) contained in an electronic designated record set (“access reports”). The proposed rule was meant by OCR to implement a provision of the 2009 HITECH Act requiring HHS to expand the existing accounting of disclosures requirement to include disclosures of PHI for treatment, payment and health care operations through an electronic health record.

After months of study and a day-long hearing in September 2013, the Tiger Team concluded that the proposal, which was widely unpopular from its inception, is overbroad and lacks value. In a meeting held December 4, 2013, the Tiger Team stated that it “does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administration burden on covered entities.”

The Tiger Team proposed an alternative for implementing the HITECH Act’s accounting of disclosure mandate, urging OCR “to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on [covered entities].” The Team further recommended that OCR take a “step-wise” approach to implementing the HITECH Act, and focus on data disclosed outside of a covered entity or organized health care arrangement.

In the December 4 meeting, the Tiger Team also recommended that OCR add two new “addressable” standards to the HIPAA Security Rule related to audit controls:

  1. Audit controls must record PHI-access activities to the granularity of (i) the individual user (e.g., human) accessing PHI and (ii) the individual whose PHI is accessed.
  2. Information recorded by the audit controls must be sufficient to support the information system activity review required by section 164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI.

How HHS will respond to the Tiger Team’s recommendations, and when a final rule will be released, remains to be seen.

HHS Seeks to Reduce Gun Violence Via Modifications to the HIPAA Privacy Rule

This post was written by Nancy E. Bonifant and Jennifer L. Pike

After receiving more than 2,000 comments to its April 2013 Advance Notice of Proposed Rulemaking, the Department of Health & Human Services (“HHS”) has proposed to amend the HIPAA Privacy Rule to expressly permit certain covered entities to report to the National Instant Criminal Background Check System (“NICS”) the identities of individuals who are prohibited by federal law, for mental health reasons, from possessing firearms (commonly referred to as the “mental health prohibitor”).

The NICS is the system used to determine whether a potential firearms recipient is statutorily prohibited from possessing or receiving a firearm. The mental health prohibitor applies to individuals who have been (1) involuntarily committed to a mental institution; (2) found incompetent to stand trial or not guilty for reason of insanity; or (3) otherwise determined, through formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others, or being incapable of managing their own affairs.

While most records related to involuntary commitments and mental health adjudications originate in entities affiliated with the criminal justice system (which are generally not subject to HIPAA), state entities outside the criminal justice system may also be involved. If these state entities are HIPAA-covered entities, or if a HIPAA-covered entity is the state repository for such records, then these records are subject to HIPAA.

Under the existing HIPAA Privacy Rule, there are circumstances where records subject to HIPAA may be reported to the NICS. For example, the Privacy Rule permits any covered entity to disclose information to the NICS to the extent such reporting is required by state law. In the absence of a state law requirement, however, reporting to the NICS is only permissible to the extent a covered entity designates itself as a hybrid-covered entity, and the relevant information is maintained and reported through the non-HIPAA regulated portion of that entity. As a result, OCR has cited concerns that the existing HIPAA Privacy Rule may be preventing some state entities (which likely perform both HIPAA-covered and non-covered functions) from reporting to the NICS the identities of individuals subject to the mental health prohibitor. Therefore, HHS has proposed to add to the Privacy Rule new provisions at 45 CFR § 164.512(k)(7), which would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes.

Notably, this new permission would apply only to covered entities that function as repositories of information relevant to the federal mental health prohibitor on behalf of a state, or that are responsible for ordering the involuntary commitments or other adjudications that make an individual subject to the federal mental health prohibitor. Further, the new permission would strictly limit the information used or disclosed for NICS reporting purposes to the minimum necessary—HHS considers the minimum necessary information to include: (1) an individual’s name; (2) an individual’s date of birth; (3) an individual’s sex; (4) a code or notation indicating that the individual is subject to the federal mental health prohibitor; (5) a code or notation representing the reporting entity; and (6) a code identifying the agency record supporting the prohibition. The new permission would not permit the use or disclosure of clinical or diagnostic information.

HHS is seeking comments related to the proposed rule. Comments may be submitted in writing, or electronically at www.regulations.gov, on or before March 10, 2014.
 

OCR OUT OF COMPLIANCE? OIG Report Concludes OCR Slow To Enforce HIPAA Security Rule and To Comply with Federal Cybersecurity Requirements

This post was written Nancy E. Bonifant and Brad M. Rostolsky

According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule.

The OIG’s report, which followed an assessment of OCR’s Security Rule oversight and enforcement activities from July 2009 through May 2011, concluded that:

  • OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to follow the complaint-driven approach to assess the status of Security Rule compliance
     
  • OCR failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule

To address these findings, the OIG recommended that OCR: (i) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (ii) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; and (iii) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed.

Separately, the OIG also assessed OCR’s computer systems as of May 2011, and concluded that OCR had not fully complied with the cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its information systems used to process and store investigation data, because it focused on system operability to the detriment of system and data security. As a result, the OIG recommended that OCR implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.

In response, OCR generally concurred with the recommendations and described the actions it has taken to address the OIG’s concerns since May 2011. Notably, while OCR did initiate a pilot audit program in November 2011 and has subsequently audited 115 covered entities, OCR also explained that the funds used to support those audit activities are no longer available, and no funds have been appropriated for it to maintain a permanent audit program.

In consideration of the OIG’s report and OCR’s response, the looming questions that remain are how OCR will fund its statutorily required enforcement and compliance activities, and whether covered entities and business associates should expect increased enforcement to help subsidize OCR’s compliance going forward.

OCR Continues to Use Breach Self-Reports as an Invitation to Audit General HIPAA Compliance

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

  • Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
  • Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,  "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at hhs.gov.

Massachusetts Attorney General Strikes: South Shore Hospital Settles Data Breach Allegations for $750,000

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals.  The settlement resulted from the hospital’s data breach report to the Attorney General in July 2010, which was also reported to the HHS Office of Civil Rights in accordance with the HIPAA Breach Notification Rule.  Although the Attorney General reported a $750,000 settlement, South Shore was credited $275,000 for new security measures taken after the breach, bringing the actual amount to $475,000, of which $250,000 is a civil penalty and $225,000 shall be paid to an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal and protected health information.  South Shore also agreed to undergo a review and audit of its security measures and report the results to the Attorney General.

In February 2010, South Shore contracted with Archive Data Solutions (Archive Data) to erase and re-sell 473 data tapes.  According to the Attorney General, South Shore did not inform Archive Data that the tapes contained personal and protected health information, including individuals’ names, Social Security numbers, financial account numbers, and medical diagnoses.  The tapes were then shipped to a Texas subcontractor, but in June 2010, South Shore learned that only one of the three boxes of tapes arrived.  The two missing boxes were never recovered and there have been no reports of unauthorized use of the information.

Following its investigation of South Shore’s breach report, the Attorney General filed a lawsuit under the Massachusetts Consumer Protection Act and HIPAA.  State Attorney Generals have the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules, which includes obtaining damages and enjoining further violations, pursuant to HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009.  In the lawsuit, the Attorney General alleged that South Shore failed to implement appropriate safeguards, policies, and procedures to protect the information, failed to have a Business Associate Agreement in place with Archive Data, and failed to properly train its workforce.

Small Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

  • Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix failed to identify a security official and conduct a risk analysis; and
  • Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

 

OCR Announces First Enforcement Action Resulting From a Breach Self-Report

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.


The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.


According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.


In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

OCR Launches Privacy and Security Audits

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

To implement the HITECH Act’s mandate for the Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase are planned to begin with an initial 20 audits between November 2011 and April 2012. The remaining audits are scheduled to conclude by December 2012. All covered entities and business associates are eligible for audits; however, OCR has indicated that it is focusing on covered entities (range in type and size) in the initial phase. Business associates will be included in future audits.

During the pilot, every audit will include a document production and onsite visit, and will result in an audit report. OCR will notify a selected covered entity in writing and request documentation of the covered entity’s privacy and security compliance efforts. The covered entity must comply within 10 business days. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days, and after fieldwork is completed, the auditor will provide the covered entity with a draft final report. Selected covered entities will then have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Significantly, OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.

A description of the pilot program is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

 

Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing - Health Care in the Cloud

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter  of our Cloud Computing White Paper.

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements and Access Report

This post was written by Gina M. Cavalier and Brad M. Rostolsky.

Today the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking implementing provisions of the HITECH Act related to accounting for disclosures of protected health information (PHI). Pursuant to the HITECH Act and its more general authority under HIPAA, HHS proposed to divide the Privacy Rule provisions related to an accounting into two separate individual rights: (1) an accounting and, (2) an access report.

With respect to an accounting, HHS proposes that individuals have a right to an accounting of disclosures of PHI in a designated record set made by a covered entity or a business associate: (i) for impermissible purposes, (ii) for public health activities, (iii) for judicial and administrative proceedings, (iv) for law enforcement purposes, (v) to avert a serious threat to health or safety, (vi) for military and veterans activities, and (vii) for workers compensation. The proposed compliance date for this provision is 180 days after the effective date of the final rule.

With respect to the access report, HHS proposes to provide individuals with the right to receive a report detailing who has accessed their electronic PHI in a designated record set maintained by a covered entity or its business associates. HHS proposes that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014 for electronic designated record set systems acquired as of January 1, 2009.

The proposed rule is posted here.

Comments are due in 60 days - August 1, 2011.

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements

This post was written by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.

Pursuant to the HITECH Act, covered entities and business associates must account for disclosures of PHI for treatment, payment and health care operations if the disclosures are through an electronic health record. This represents a significant change to the requirements under the current HIPAA Privacy Rule. The Department of Health and Human Services (HHS) will shortly publish a notice of proposed rulemaking to modify the Privacy Rule’s standard for accounting of disclosures of protected health information. An advance copy of the proposed rule is available here.

HHS proposes to expand the accounting requirements of the Privacy Rule to provide individuals with the right to receive an access report detailing who has accessed their electronic PHI in a designated record set. Accordingly, HHS proposes to revise an individual’s right to an accounting under the Privacy Rule by separately setting forth an individual’s right to (a) an accounting of disclosures and (2) an access report. HHS has also proposed other changes designed to improve the workability and effectiveness of the existing accounting of disclosures requirements.

 

Comments are due 60 days after the proposed rule is published in the Federal Register.

 

More to come...

Final HITECH Privacy and Security Rule Expected Soon

According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act's privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011.   Additionally, OCR, developing a HITECH Act required "periodic audit" plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of  the Privacy and Security Rules. 

We'll keep you posted as things progress . . .

New HITECH/HIPAA Proposed Rule Released Today

HHS has just released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009).  The advance version of the rule can be accessed here; the official version will be published July 14.  A press release should be available later this morning.

Pursuant to the announcement of the proposed rulemaking on the HHS Privacy website, the proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Importantly, HHS has stated that the new HIPAA regulations will not be enforced until 180 days after the final rule has become effective. Comments will be due on or about September 13, 2010.

More to come . . . 

HITECH Privacy and Security Regulations Currently Being Drafted

The Health Information Privacy page of the U.S. Department of Health and Human Services (HHS) website has formally announced that regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act will soon be published (along with a comment period) relating to (1) business associate liability; (2) new limitations on the sale of protected health information, marketing and fundraising communications; and (3) stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  Although this posting is certainly welcome news, from a timing perspective the announcement only indicates that "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions." 

Providing further evidence that the HITECH Act provisions relative to covered entities and business associates will not be enforced until after these forthcoming regulations have been finalized, HHS stated that "[a]lthough the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."  The HITECH Act, however, is currently effective, and questions about the effective date for enforcement of the Act's privacy and security requirements may remain until published regulations specifically postpone enforcement.  Additionally, HHS reminds us that the Breach Notification Rule and the revised Enforcement Rule are currently in effect, and that covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009.

HHS Rule Implements HITECH Act Changes to HIPAA Enforcement

On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH ActConsistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009. 

  • Unknown violations (i.e., if a person did not know and by exercising reasonable due diligence would not have known that a violation occurred): The penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to reasonable cause and not to willful neglect: The penalty shall be at least $1,000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have been corrected): The penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have not been corrected): The penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

Furthermore, the interim final rule generally amends a covered entity's ability to employ an affirmative defense against an action seeking civil monetary penalties if (i) the covered entity did not have knowledge or constructive knowledge of the violation, and (ii) the violation was not due to reasonable cause and not willful neglect. HHS is also given the authority to waive a civil monetary penalty for violations due to reasonable cause and not willful neglect if the covered entity corrects the violation within 30 days of having knowledge that the violation occurred. 

Comments on this interim final rule will be considered if received by December 29, 2009.

New HHS Regulations Impose Federal Security Breach Notification Requirements

The recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.

On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) issued its interim final rule (“the Rule”) regarding a covered entity’s obligation to notify individuals when their unsecured protected health information (“PHI”) is breached. Furthermore, and depending on the nature of the security breach, the Rule also requires a more global notification whereby covered entities must post information regarding certain breaches in newspapers and on the HHS website.

The HHS Rule is effective on September 23, 2009, however, HHS will not impose sanctions for failure to provide the required notices for breaches that are discoverable before February 22, 2010.

For additional details, read the full alert

FTC Issues Final Rule on Notifying Consumers About Breaches of Electronic Health Records

This post was written by Mark S. MelodiaMichael K. BrownJ. Ferd Convery, IIISteven J. Boranian, Brad M. Rostolsky, Shana R. Fried and Paul Bond.

Until now, the loss or theft of protected health information rarely resulted in notice to consumers. Very few state data security breach notification laws encompass medical information. The Health Insurance Portability and Accountability Act ("HIPAA") merely required an "accounting" of such events to a patient upon the patient's request.

All that has changed. Congress, in enacting the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposed breach notification obligations on many of the individuals and business entities that receive, create, or maintain patients' individually identifiable health information. Pursuant to HITECH, on Aug. 17, the Federal Trade Commission ("FTC") issued its Health Breach Notification Rule, governing the breach notification obligations of three new categories of entity: "vendors of personal health records," "PHR related entities" and "third party service providers."

To read the full alert, click here.