HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Son of HIPAA Breach Notification Rules

November 11, 2009

Health care providers: If your patient records aren't already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government — as well as by some private payors and self-insured employers — to get all health care providers wired in the near future, in order to better coordinate patient care, improve outcomes, and "bend the cost curve" all at the same time. There are some financial incentives in play to achieving "meaningful use" of "certified" EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.

Once all that patient data — or as it is known in HIPAA-speak, protected health information (PHI) — is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach. Compliance with these rules — issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to health care providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties — requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity-certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be fled with the regulators. The new rules — I call them Son of HIPAA — are layered on top of existing HIPAA privacy and security rules, the FTC's Red Flags Rule regarding identity theft protections to be put in place by any "creditor" (which includes health care providers not paid in full at the time of service — though the effective date of Red Flags Rule is now delayed yet again), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.

The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (i.e., unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.

Another important aspect of the rule is the concept of harm-the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that "pose a significant risk of financial, reputational, or other harm to the individual." For example, if an employee of a health care provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.

Finally, "business associates" under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of "covered entities" under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Health care providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients' rights to their records are easily exercised could be a way to build goodwill among patients and potential patients.

This is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.

A version of this post was published on HCPlive.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: EHR, Health care policy, Health Law, HIPAA, HIT, Hospitals, Physicians, Privacy

you might also like:

  1. Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who's Ready?

  2. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  3. Final HIPAA Breach Notification Rule

« David Harlow quoted in "Social Networking 101 for Physicians" piece in Mass Medical Law Report
Social Media Session at Oklahoma Hospital Association Annual Meeting »

Comments

  1. Experiordata says

    November 17, 2009 at 11:30 pm

    Although encryption is not required it is easy enough to implement. Sure there are costs involved. However, it is the only technology recognized by the government that makes unsecured protected health information unreadable and undecipherable to unauthorized individuals. And there is piece of mind knowing that devices like tablets, usb drives, and laptops that move around are encrypted, as well as information flowing on the network.

Follow me on Twitter

David Harlow 💉😷 Follow 42,908 17,568

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
5h 1620445622955278337

Moonshots — StartUp Health https://paper.li/healthblawg/1369855999?read=https%3A%2F%2Fwww.startuphealth.com%2Fmoonshots #hcldr

Reply on Twitter 1620445622955278337 Retweet on Twitter 1620445622955278337 0 Like on Twitter 1620445622955278337 0 Twitter 1620445622955278337
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
5h 1620445621772587008

Harlow on Health Care is out! #healthcare #hcldr #hcsm #HIT #healthreform #HIPAA

Image for twitter card

Moonshots — StartUp Health

startuphealth.com At StartUp Health, we invest in the most innovative health entrepreneurs in the world — our glob...

paper.li

Reply on Twitter 1620445621772587008 Retweet on Twitter 1620445621772587008 0 Like on Twitter 1620445621772587008 0 Twitter 1620445621772587008
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
6h 1620439418514333698

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @biomelb @SCMagazine @r2guidance #digitalhealth #healthcare

Image for twitter card

Why enterprises trust hardware-based security over quantum computing

venturebeat.com Quantum computing is being realized, but its limitations in cybersecurity are prompting organizations to ...

paper.li

Reply on Twitter 1620439418514333698 Retweet on Twitter 1620439418514333698 0 Like on Twitter 1620439418514333698 0 Twitter 1620439418514333698
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]