Health Plans Must Comply with New HHS Interim Final Data Breach Rules Beginning September 24; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone

Employers and other health plan sponsors, fiduciaries, insurers and service providers need to move quickly to prepare to comply with  “breach notification” regulations issued by the U.S. Department of Health and Human Services (HHS) yesterday (August 19, 2009).  The new data breach regulations will require health plans, as well as  health care providers, business associates and other covered entities (Covered Entities) under the personal health information privacy and security rules of the Health Insurance Portability & Accountability  (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. Scheduled for publication in the Federal Register on August 24, 2009, the new breach notification regulations are part of a series of new rules that implement new electronic personal health information data security and data breach notification requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).  Covered entities must begin complying with the new rules no later than September 24, 2009.

Curran Tomko Tarski, LLP Health Practice leader Cynthia Marcotte Stamer will conduct a briefing on these new protected health information data security and data breach rules on Thursday, September 10, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201.  For more information, e-mail here.

 HITECH Act Data Breach and Unsecured PHI Rules

The new data breach notification rules are part of a series of recent HIPAA enacted under the HITECH Act to strengthen the federal rules requiring HIPAA covered entities to safeguard electronic and certain other protected health information. Enhanced data security and data breach rules added as part of these HITECH Act amendments obligate  covered entities and business associates to provide certain notifications following a breach of “unsecured”  “protected health information” within the meaning of HIPAA, as amended.  “Unsecured protected health information” is defined as protected health information that is not secured through the use of a technology or methodology specified by the HHS Secretary.

The new data breach regulations implement the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach and the form, manner, and timing of that notification.  For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the covered entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act.  HHS and the Federal Trade Commission previously issued certain initial guidance concerning the HITECH Act standards for determining when electronic personal health information qualifies as secure.  To help further define when electronic health information is treated as “unsecured” and therefore subject to the breach notification requirements, the data breach rules also update and clarify the previously issued existing HHS guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals published earlier this year by HHS to for purposes of determining when protected health information will be considered “unsecured” for purposes of the HITECH Act data breach rules.  Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.  

The HHS interim final regulations are effective September 24, 2009, which is the date 30 days after the date they will be published on the Federal Register and include a 60-day public comment period. To review the interim final data breach regulations, see here.  To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

For More Information

The author of this article, Curran Tomko and Tarski LLP Labor and Employment and Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting employer and other health plan sponsors, insurers, managed care providers and other health and insurance industry clients about HIPAA and other privacy and data security matters, as well as a diverse range of health care, employment, and emplyee benefit policy, regulatory, compliance, risk management and operational concerns. 

Current Chair of the American Bar Association (ABA) Real Property, Trusts & Estates Employee Benefit & Other Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, past chair of the American Bar Association Health Law Section Managed Care & Insurance Section, Martindale Hubble AV-rated and recognized in International Who’s Who of Professionals, Ms. Stamer continuously advises health care providers, health care payers and administrators, employers, governments and others about health care, insurance, human resources, privacy and data security, technology, and other legal and operational concerns.  A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer also writes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters.  She currently serves as the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010.  Examples of her other works include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of others.  Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service Privacy Report, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a various other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

We hope that this information is useful to you.  If you need assistance monitoring, evaluating or responding to these or other proposed health care or other regulatory reforms or with other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, or your other favorite Curran Tomko Tarski LLP Partner.

We also encourage you and others to join the discussion about these and other health care reform proposals and concerns by joining the Coalition for Responsible Health Care Reform Group on Linkedin, registering to receive these updates here.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Solutions Law Press Health Care Update publication available here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update here and be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to

©2009 Cynthia Marcotte Stamer.  All rights reserved. 

Comments are closed.

%d bloggers like this: