Employer and other health plans, health care providers, health clearinghouses and their business associates must start complying with new federal data breach notification rules on September 23, 2009.
The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here in today’s Federal Register requires health plans, health care providers, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information.The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).
You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9 2009 from Noon to 1:30 P.M. Central Time.
HITECH Act Data Breach and Unsecured PHI Rules
Published in the August 24, 2009 Federal Register, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 23, 2009.
Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.
Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.
For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act. Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance.
Read the Breach Regulation here . To review the HITECH Act Breach Notification Guidance and Request for Information, see here .
Register For September 9, 2009 “HITECH Act Health Data Security & Breach Update”
Interested persons are invited to register here now to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For questions or other information about this program, e-mail here.
Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover:
- Who must comply
- What your organization must do
- How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
- What is considered a breach of unsecured protected health information
- What steps must a covered entity take if a breach of unsecured protected information happens
- What liabilities do covered entities face for non-compliance
- What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
- How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
- Other recent developments
- Practical tips for assessing, planning, moving to and defending compliance
- Participant questions
About The Presenter
The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer. Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.
Past Chair of the ABA Health Law Section Managed Care & Insurance Section and currently the Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Section and a Council Representative of the ABA Joint Committee On Employee Benefits, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.
We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, firstname.lastname@example.org or another Curran Tomko Tarski LLP Partner of your choice.
Other Helpful Resources & Other Information
If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.
For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to email@example.com.
©2009 Cynthia Marcotte Stamer. All rights reserved.