HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

On July 27th, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced settlements with Rite Aid Corporation for the improper disposal of personal information -- including prescriptions and labeled pill bottles containing identifiable information about Rite Aid customers, and employment applications -- in publicly accessible dumpsters behind Rite Aid stores in a number of cities across the country.  In addition to improperly disposing of personal information, HHS and the FTC also claimed that Rite Aid failed to:

• implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal;
• adequately train employees to dispose securely of such information;
• use reasonable measures to assess compliance with its established policies and procedures for disposing such information; and
• employ a reasonable process for discovering and remedying risks to such information.

Under the HHS resolution agreement, Rite Aid agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act Privacy Rule.  Rite Aid also agreed to distribute policies and procedures for protecting protected health information (such as the patient information improperly disposed in this case), train employees on the policies and procedures, monitor for violations, sanction employees who commit violations, and hire a third-party auditor to conduct periodic compliance reviews.  The HHS resolution agreement applies for three years.

In its consent order, the FTC accused Rite Aid of committing both unfair and deceptive trade practices in violation of Section 5 of the FTC Act.  Specifically, the FTC claimed that Rite Aid committed unfair trade practices when it failed to employ reasonable and appropriate measures to prevent unauthorized access to the personal information, and committed deceptive trade practices when it recklessly disposed of customers' health information despite making claims it would responsibly protect such information. 

In addition to the penalties imposed by HHS, the FTC ordered Rite Aid to cease misrepresenting its information security practices to consumers, establish a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers and employees, and obtain biannual audits of its information security program for the next 20 years.

These settlements were similar to those imposed on CVS Caremark in February of 2009, which also stemmed from a joint investigation of the HHS and the FTC into reports of improperly disposed patient and employee information into publicly accessible dumpsters.  While many of the procedural requirements of the settlements are similar, in that case HHS required CVS Caremark to pay $2.25 million to settle the charges.

These cases reaffirm the agencies' commitment to investigating and punishing improper data disposal practices, especially in light of high-profile media reports discovering sensitive consumer information in dumpsters and boxes left by the side of the road.  In order to avoid these types of high-profile investigations, organizations should implement and enforce data retention policies and always destroy sensitive customer and employee data prior to disposal.

• Email This
• Print
• Share Link

The Department of Health and Human Services (HHS) introduced sweeping changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Enforcement Rules in its Notice of Proposed Rulemaking issued on July 8. 

Some of the major changes introduced under the Proposed Rule include:

·         Business Associates and Business Associate Agreements— HHS modifies the current definition of business associates to explicitly include several new entities, most importantly sub-contractors who create, receive or transmit protected health information (PHI) on behalf of business associates. Subcontractors who meet this criterion are now business associates and consequently required to enter into business associate agreements with business associates and subject to direct liability under the HIPAA Rules.

The Proposed Rule also makes a number of modifications to the business associate agreement contractual requirements, including (but not limited to) requiring that business associate agreements include language that require business associates to report breaches of unsecured PHI to covered entities, and to the extent a business associate is carrying out any covered entity Privacy Rule obligations, comply with the relevant Privacy Rule requirements that apply to the covered entity.

The Proposed Rule proposes a one year transition period for compliance with the new business associate agreement requirements for certain existing contracts. 

·         Security Rule— The Proposed Rule makes § 164.306 of the Security Rule, which sets out general rules that apply to all standards and implementation sections of the Security Rule, apply to business associates. HHS also introduces several other changes to the Security Rule with respect to business associates in the Proposed Rule.

·         Marketing— HHS proposes significant, complex revisions to the exceptions to the definition of “marketing” and solicits comments on a number of its proposals, including the distinction it draws in the Proposed Rule between treatment and health care operations communications.

• Email This
• Print
• Share Link

This morning the Office of Civil Rights (OCR) issued a notice of proposed rulemaking to modify the HIPAA Privacy, Security, and Enforcement Rules.  The proposed modifications would extend parts of the HIPAA Privacy Rule and virtually all of the Security Rule to the business associates of HIPAA covered entities, impose new limits on the use and disclosure of protected health information for marketing, prohibit the sale of protected health information without patient consent, expand individuals’ rights to access their information and permit patients to restrict the disclosure of certain information to health plans.  In addition, the proposed rule will strengthen and expand HIPAA’s enforcement provisions.  Comments will be accepted on the new rule for 60 days following publication in the Federal Register, which is currently scheduled for July 14, 2010.  Hogan Lovells attorneys are reviewing the proposed rule and will post highlights shortly.

• Email This
• Print
• Share Link

The Federal Communications Commission and the Food and Drug Administration jointly announced this week an upcoming public forum to discuss the review process for “Life-Saving Wireless Medical Technology.” The joint public forum is scheduled for July 26-27, 2010 and written comments in advance of the meeting are due June 25, 2010.

The FCC and FDA share joint regulatory authority over wireless-enabled medical devices, most notably those relying upon commercial broadband wireless networks to relay patient information back to providers. As described in the FCC news release, “[t]he joint public meeting . . . reflects a commitment by the two agencies to work even more closely to ensure the safety and reliability of [these] devices while increasing their availability to consumers and health care providers. This collaboration is a critical step in the development and approval of new wireless medical devices . . . .” The two agencies expressed a desire to develop a collaborative, streamlined process for review of new devices.

The accompanying Public Notice included a list of questions on which the agencies are seeking written comments in advance of the public forum. These topics include:

• Data integrity and reliability issues arising from the use of allocated spectrum, the use of unlicensed devices, and the use of commercial networks and applications, and needs, uses, and risks for ‘medical-grade’ wireless technology and communications.

• Medical device and system security issues including inadvertent and intentional intrusion.

• View on current FDA and FCC regulatory requirements, including the relationship between FDA approval/clearance and FCC certification of applications, and post market and compliance requirements

The request also solicited comments on additional topics appropriate for inclusion in the forum.

• Email This
• Print
• Share Link

The Office of the National Coordinator for Health IT (ONC) has organized a workgroup under the auspices of the HIT Policy Committee to move forward on and maintain consistency with respect to a range of privacy and security issues. This new “Privacy & Security Tiger Team” will be co-chaired by Deven McGraw, Center for Democracy & Technology, and Paul Egerman, a health IT consultant, and comprised of members of the Health IT Policy and Standards Committees, as well as of the National Committee on Vital and Health Statistics (NCVHS).

The Tiger Team will work over the next few months to address the privacy and security requirements of the HITECH Act, as well as the needs of the new organizations – such as state health information exchanges and regional health IT extension centers – created under that law. The group held its first meeting June 9 and at it discussed: at what level its policy recommendations should be; the overarching issues raised by NHIN Direct; and what privacy and security frameworks should be in place.

The group met again on June 10 to continue its discussions. ONC expects the Tiger Team’s work to be completed by late fall 2010.
 

• Email This
• Print
• Share Link

The Health IT Policy Committee’s Privacy and Security workgroup has recommended that patient data exchanged between providers for treatment purposes be governed by policies that “at least” include encryption. The HIT Policy Committee is a federal advisory committee established to provide guidance to the Office of the National Coordinator for Health IT (ONC) on health IT policy issues, and its privacy and security workgroup is charged with addressing the privacy and security issues involved in developing a framework for the exchange of health information.

According to the workgroup’s recommendations, encryption ideally should be required when there is potential for transmitted data to be exposed. The workgroup proposed that the encryption mandate come through either the meaningful use and certification criteria; or through modification of the HIPAA security rule.

In addition to encryption, the group recommended that provider-to-provider exchange be governed by policies that include “limits on identifiable (or potentially identifiable) information in the message” and “identification and authentication.” According to the workgroup, “if strong policies are in place and enforced, we don’t think that the above scenario needs any additional individual consent beyond what is required by current law."

If such recommendations are adopted and an encryption mandate imposed, this would have significant and far-reaching consequences for providers. We will continue to track the status of these recommendations as they evolve.

• Email This
• Print
• Share Link

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov

• Email This
• Print
• Share Link

In today’s Federal Register, the Department of Health and Human Services (“HHS”) published a request for information (“RFI”) regarding the HITECH accounting of disclosures provisions.  The Department is collecting information to help inform its rulemaking. Building on the current HIPAA accounting of disclosure requirements, HHS is required to issue regulations concerning what information should be collected about disclosures for treatment, payment, and health care operations made through an electronic health record.  

In the RFI, HHS requests comments on nine questions, including whether the compliance deadline should be extended. Comments are due on or before May 18, 2010. A detailed listing of all questions and additional background information is available in the Federal Register.

• Email This
• Print
• Share Link

The U.S. Department of Health and Human Services (“HHS”) published its regulatory agenda (“Agenda”) in today’s Federal Register.  The Agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of HITECH. The Department is also scheduled to issue a final rule in May of this year, addressing the certification standards and implementation criteria for electronic health record technology.

• Email This
• Print
• Share Link

OCR posted the following announcement on its website suggesting that information regarding specific compliance and enforcement dates will be included in the rulemaking.  The Department did not provide any information on when to expect a proposed privacy regulation.

*****

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification.  New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009.  Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

• Email This
• Print
• Share Link

Today as the HHS Office of Civil Rights begins to enforce the federal health data breach notification rule, the agency publicly posted the list of reported breaches affecting 500 or more individuals. The list is available on the  HHS’ website and includes the following information:

• the entity’s name
• state
• approximate number of affected individuals
• date of breach
• type of breach (e.g. theft, misdirected e-mail)
• location of information at time of breach (e.g. desktop computer, laptop, paper, mailing).

• Email This
• Print
• Share Link

Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures.

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA and their business associates to provide notification following discovery of a breach of security involving an individual’s unsecured protected health information.  Under the rule, covered entities are also required to notify the HHS Secretary. For breaches affecting fewer than 500 individuals that occurred during calendar year 2009 and after the September effective date of the HHS breach rule, notification to the Secretary must be submitted by March 1, 2010. 

The FTC breach rule, issued on August 17, 2009, applies to vendors of personal health records, PHR-related entities and third-party service providers. 

• Email This
• Print
• Share Link

Health care providers, health plans, clearinghouses and their business associates face deadline for implementation of significant new compliance obligations.

 February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.

Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).

New Requirements

Covered entities must now comply with most of the new privacy requirements introduced under HITECH including, among other requirements:

·        additional requirements regarding “minimum necessary” uses and disclosures of protected health information (PHI);

·        new limitations on uses and disclosures of PHI for marketing;

·        new individual rights related to electronic access to PHI maintained in an electronic health record; and

·        new individual rights allowing individuals the right to restrict their providers from sending PHI to the individuals’ health plan if the individuals pay in full for the product or service at issue.

Business associates also now face substantial new compliance obligations under HITECH.Prior to HITECH, business associates were not directly subject to HIPAA and were subject only to the contractual obligations imposed on them by covered entities through business associate agreements (BAAs). HITECH changes the regulatory landscape by imposing a direct statutory obligation on business associates to comply with the new privacy and security requirements. These include such things as:

·        compliance with the bulk of the HIPAA Security Rule requirements;

·        compliance with the new HITECH data breach provisions; and

·        compliance with the new individual rights provisions related to access to PHI and restrictions on certain disclosures of PHI.

 BAA Challenges

HITECH further requires that the new privacy and security requirements “shall be incorporated” into BAAs. The amendment of BAAs has been one of the most troublesome and challenging issues for both covered entities and business associates. While some have hoped that HITECH “by law” amends existing BAAs (an argument that may raise constitutional issues given that private contracts and assets are at stake), most, if not all, have struggled with the decision whether to amend existing BAAs prior to the February 17, 2010 compliance date or rely upon a “transition period” that has been hinted at by the Department of Health and Human Services (HHS) and was provided in the Privacy Rule when compliance was required in 2003.

New Enforcement Framework

In addition to the new compliance challenges faced by covered entities and business associates under HITECH, several notable changes to HIPAA enforcement were also introduced under HITECH. Although many of the new enforcement provisions were effective upon enactment of HITECH (e.g., enforcement by state attorneys general, increased civil monetary penalties), several other enforcement provisions are now effective, including:

·        business associates are now subject to direct enforcement actions; and

·        covered entities and business associates are now subject to mandatory, periodic audits by HHS.

Beginning February 22, 2010 HHS also will begin enforcement of the new HITECH data breach regulations issued in September 2009.

Members of the Hogan & Hartson HIPAA Privacy practice are available to assist clients in working through these legal issues to implement compliance with HITECH efficiently and effectively—both before and after regulatory guidance is issued.

• Email This
• Print
• Share Link

 The Department of Health and Human Services (“HHS”) announced that it will host an in-person workshop to address and collect stakeholders’ views regarding how to best implement the Privacy Rule’s current requirements for the de-identification of protected health information (“PHI”). The American Recovery and Reinvestment Act of 2009 (“ARRA”) requires HHS, in consultation with stakeholders, to issue guidance on methods for de-identifying PHI. The workshop, which will consist of multiple panel sessions, is open to the public and will be held on March 8-9 in Washington, DC. Following the workshop, HHS will synthesize the input it receives from the workshop and general comments, and issue guidance on its Web site for public comment.

The deadline to register for the workshop is March 1, 2010. Additional details about the workshop can be found on HHS’ Health Information Privacy Web site.

• Email This
• Print
• Share Link

In the first HIPAA action filed by a state attorney general, Connecticut Attorney General Richard Blumenthal filed a lawsuit yesterday against Health Net of Connecticut for failing to secure private medical and financial information concerning 446,000 of its Connecticut enrollees, and for subsequently neglecting to promptly notify affected individuals. Blumenthal is also seeking a court order to prevent Health Net from continued violations by requiring the company to encrypt any protected health information (“PHI”) contained on portable electronic devices. The lawsuit is the first action by a state attorney general to enforce HIPAA since the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provided state attorneys general with the power to initiate civil actions on behalf of state residents for violations of HIPAA.

In May 2009, Health Net discovered that a portable computer disk drive containing social security numbers, health claim forms and bank account numbers for approximately 446,000 Connecticut enrollees was missing. According to Blumenthal, Health Net subsequently failed to promptly notify appropriate authorities and consumers of the incident. Blumenthal further alleges that Health Net failed to comply with its own policies and federal law regarding the protection of personal information, and failed to effectively train and supervise its workforce on the proper policies for maintaining, using, and disclosing PHI.

• Email This
• Print
• Share Link

The Office of the National Coordinator for Health IT (ONC) has announced that it will establish a new Office of the Chief Privacy Officer as part of a reorganization to better support the adoption and implementation of health IT.  This office will be lead by a Chief Privacy Officer, which will be named by the Secretary, and will advise the national coordinator for health IT and others on issues related to data privacy and security.

The changes to ONC’s operational structure became effective December 1, and in addition include the creation of four new offices:

·         (1) The Office of Economic Modeling and Analysis – This office will apply statistical and economic approaches to health IT investments and policies.

·         (2) The Office of the Chief Scientist – This office will evaluate health IT grant programs, track innovations, lead research efforts and develop education programs. It replaces the interoperability and standards group.

·         (3) The Office of the Deputy National Coordinator for Programs and Policy – Replacing ONC’s programs and coordination division, this office will oversee health IT grant programs.

·         (4) The Office of the Deputy National Coordinator for Operations – This office will replace ONC’s policy and research group and will perform activities such as budget formulation, facilities management, contract and grants management, and financial strategic planning.

All offices will report directly to David Blumenthal, the National Coordinator for Health IT.   

• Email This
• Print
• Share Link

Today, the U.S. Department of Health and Human Services (HHS) released a pre-publication copy of an interim final regulation with a request for comments.  The regulations are being promulgated under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted earlier this year.  HITECH enhanced and expanded the enforcement and penalty provisions of the HIPAA Privacy Rule and this rule implements those changes.  The interim final regulations will be officially published in the Federal Register October 30th and will be effective on November 30, 2009.  Public comments will be accepted by HHS until December 29, 2009.

• Email This
• Print
• Share Link

Several federal agencies released new rules yesterday implementing the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA prohibits discrimination based on genetic information in health coverage and employment. The Departments of Labor, Treasury, and Health and Human Services (HHS) issued Interim Final Rules, and HHS separately, through the Office of Civil Rights (OCR), issued a Proposed Rule.

The interim final rules prohibit group health plans and issuers in the group health insurance market from: (1) increasing premiums for the group based on genetic information, (2) requesting or requiring individuals to undergo a genetic test, and (3) requesting requiring or purchasing genetic information prior to or in connection with enrollment, or at anytime for underwriting. In general, individual health insurers are subject to the same or similar prohibitions, with certain exceptions. Comments are due on these interim final rules within 90 days of each rule’s publication in the Federal Register.

The OCR proposed rule seeks to amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by including genetic information within the definition of health information and prohibiting covered health plans from using or disclosing genetic information for underwriting purposes (i.e., eligibility determinations, premium and contribution computations, applications of pre-existing condition exclusions and other activities relating to creation, renewal or replacement of health insurance). Comments are due 60 days from publication of the proposed rule in the Federal Register. 

• Email This
• Print
• Share Link

The Department of Health & Human Services (“HHS”) published an electronic notification form for covered entities to submit notice of a breach of security to the Secretary. The electronic form, available on HHS’ website, is for notification of breaches affecting 500 or more individuals and for breaches affecting fewer than 500 individuals.

The on-line form includes all of the elements required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the related HHS breach regulations. The form also requires covered entities to include contact information for a business associate (where the breach occurred at or by the business associate), the type of breach, the location of the breach, safeguards in place prior to the breach, and the date(s) individual notifications were provided.

If a covered entity discovers additional information related to a breach after submitting notification to the Secretary, the covered entity may submit an updated notification form using the on-line form.

• Email This
• Print
• Share Link

The health breach notification rule issued by the Federal Trade Commission (“FTC”) went into effect on Thursday, September 24, 2009.

The FTC final rule, issued on August 17, 2009, applies to vendors of personal health records (“PHR vendors”), PHR-related entities and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities and instead are subject to a separate breach notification rule issued by the Department of Health and Human Services. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice of smaller breaches can be provided to the agency on an annual basis.

While the Rule is now in effect, the FTC has announced it will delay enforcement of its rule until February 22, 2010 in order to give entities time to come into compliance.

• Email This
• Print
• Share Link

The breach notification rule issued by the Department of Health and Human Services (“HHS”) goes into effect on Wednesday, September 23, 2009. 

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Covered entities do not need to provide breach notification if the PHI was secured through methodologies and technologies specified by HHS in recent Guidance.  Notice also is not required if the breach does not pose a significant risk of financial, reputational or other harm to the individuals whose information was breached or in limited other exceptions for internal disclosures or involving limited health information. 

While HIPAA covered entities are expected to comply with this rule effective September 23, HHS has stated that it will not impose sanctions for failure to provide breach notifications until February 22, 2010 in order to give covered entities time to come into compliance. HHS is accepting comments on the provisions of the rule until October 23, 2009.

• Email This
• Print
• Share Link

Hogan & Hartson's Marcy Wilder will be presenting on "HITECH's Impact on Business Associate Agreements with Healthcare Providers: Complying With New HIPAA Requirements and Preparing for Touger Enforcement" in a CLE Teleconference on Thursday, September 24, 2009, at 1pm EDT.

The Health Information Technology for Economic and Clinical Health Act (HITECH) dramatically expands the scope and application of the HIPAA Privacy and Security Rules. These changes have the greatest impact on business associates and on agreements that providers reach with them. For the first time, business associates will be directly subject to many of the HIPAA rules. To ensure compliance with the new requirements, counsel to healthcare providers and business associates must examine the implications of HITECH for all existing and future agreements. This program will examine the new HITECH requirements as they relate to business associates and business associate agreements, discusses evaluating existing agreements, and offers best practices for developing and negotiating new agreements.

• Email This
• Print
• Share Link

This summer New Hampshire enacted two laws that increase protection for health information. The first, H.B. 619, restricts the use of health data for marketing and fundraising purposes, and imposes new state data breach notification requirements on health care providers, including pharmacists.  The second, H.B. 542, establishes a framework for health information exchange entities (HIEs) and requires that individuals be permitted to opt out of sharing their protected health information with HIEs.  

The new law will be more protective than HIPAA because it requires the covered entity to seek an opt-out before the initial fundraising material is disseminated. It also includes a private right of action that will permit patients to bring a civil action in response to violations of the new marketing and fundraising restrictions. 

H.B. 619 also establishes a data breach notification requirement mandating that providers and business associates notify individuals in writing upon the unauthorized use or disclosure of their protected health information if such uses or disclosures violate New Hampshire law, even if the same uses or disclosures are “allowed under federal law”.  This law differs from New Hampshire’s general breach notification law in a number of ways, most notably that the health information law does not require any risk of harm threshold to be met before notification is mandated. Individuals may sue for violations of the breach notice requirements. 

H.B. 542 presents a framework for future health information exchange entities that permits providers to share information with HIEs but limits access to the information to providers and permits access for treatment purposes only.  HIEs also must maintain audit logs, documenting provider access to patient information, and must meet federal certification standards once these are finalized.

Both laws take effect January 1, 2010. 

• Email This
• Print
• Share Link

The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) have both issued data breach notification rules. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information.

The HHS interim final breach rule was issued August 26, 2009 and  requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Notification need not be provided if the information was secured through methodologies and technologies specified by HHS in recent Guidance. Importantly, the HHS breach rule introduces a risk of harm standard under which notification is not required if a breach does not pose a significant risk of financial, reputational, or other harm to an individual. Limited exceptions are also provided for certain internal disclosures and breaches involving limited health information. Under the Rule, business associates are required to provide notice to covered entities following the discovery of a breach of unsecured PHI at or by the business associate. The Rule specifies timing, method, and content of notification requirements. The Rule is effective on September 23, 2009. HHS is accepting comments on the provisions of the Rule until October 23, 2009.

The FTC also issued its final breach rule, the Health Breach Notification Rule. The Rule applies to vendors of personal health records (“PHR vendors”), PHR-related entities, and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method, and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice to the agency of smaller breaches can be done on annual basis. The Rule which was issued on August, 17, 2009 has an effective date of September 24, 2009.

Both HHS and the FTC have decided to delay enforcement of their rules until 180 days after publication of their respective rules in the Federal Register. Full compliance with both rules will likely be required by February 22, 2010.

• Email This
• Print
• Share Link