September 22, 2014 Deadline for Business Associate Agreements

August 22, 2014August 26, 2014 Margaret Young Levi Health Information Technology, HITECH Law, Privacy & Security, Uncategorized BAA, business associate, Business Associate Agreement, contractor, covered entity, HITECH Act, Omnibus Rule, Privacy & Security, privacy and security of protected health information

September 22nd Deadline Fast Approaching

The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a “business associate” of a “covered entity”, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later in this post regarding the expansion of the “business associate” definition). Among other changes, the Omnibus Rule requires a covered entity and business associate to revise their business associate agreement (BAA) to reflect the business associate’s new obligations. All BAAs signed after January 24, 2013 should already include new language necessary to comply with the Omnibus Rule. BAAs that were signed on or before January 24, 2013 were deemed compliant until September 22, 2014; however, if renewed or modified before that date then they must be brought into actual compliance at that time. Covered entities and business associates must ensure that all BAAs are compliant with the Omnibus Rule before the September 22, 2014 deadline. Continue reading →

New Kentucky Data Breach Rules Go into Effect

July 15, 2014July 18, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security definition of personally identifiable information, encryption standards, Privacy & Security, privacy and security of protected health information, state data breach law

Kentucky imposes new security and data breach notification requirements.

In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach notification requirements. Some level of comfort may be taken by health care providers, health insurance companies, banks, or others who are subject to either the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or Title V of the Gramm-Leach-Bliley Act of 1999, as at least HB 232 appears to exempt them. However, questions remain as to whether HIPAA-covered entities and banks are exempt under HB 5 when they have a contract with a state agency and receive personal information from the agency. Hopefully this issue will be sorted out in the rule-making to come, before additional requirements of HB 5 kick in on January 1, 2015.

Continue reading →

After LabMD: FTC, What Do We Comply With?

February 20, 2014April 15, 2014 Ann Feldkamp Triebsch Federal Law Resources, FTC Enforcement, Health Information Technology, Privacy & Security FTC, LabMD, Privacy & Security

by Ann F. Triebsch

As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and enforcement powers for data security breaches. In the LabMD decision, the FTC denied the motion to dismiss sought by LabMD in the administrative case against it, which was formally filed in August, 2013. This outcome, though anticipated, has stirred up plenty of discussion, including about how to know whether or not you’re storing data in a way that satisfies the FTC, and what happens if you’re not. For entities that are subject to HIPAA and have been following the HIPAA Security Rule regulations, is this enough? Should they be doing more to also demonstrate compliance to the FTC? Continue reading →

Legislation would require Kentucky businesses to notify consumers of data breach

January 29, 2014March 12, 2014 Dan Soldato Electronic Health Records, Federal Law Resources, FTC Enforcement, Health Information Technology, HITECH Law data breach, State Breach Notification Law

by Dan Soldato

Data breaches, particularly of consumer information and other private information, are becoming an increasing public concern and a headline in the daily news. We regularly hear about incidents in which electronically stored customer information is lost by or stolen from businesses, including health care companies, retailers, and telecommunications companies. These risks are exponentially increasing with the increased use of mobile devices in businesses (e.g., laptops, tablets, flash drives, smartphones, etc.) and the increased use of mobile apps by consumers. Electronic data, if not adequately secured, can lead to both physical and electronic thefts (e.g., hacking, malware, etc.). In light of the increase in data breach reports, this week, the Consumer Financial Protection Bureau issued an advisory bulletin to provide guidance to consumers on protecting their personal information following the recent high-profile breaches involving debit cards and other payment data (e.g., Target, Michaels, Neiman Marcus). Notice to consumers about a breach of their data is seen as another way to further protect against a loss.

Data Breach Laws. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 5 of the Federal Trade Commission Act are two federal laws under which federal agencies aim to protect the confidentiality of sensitive personal information such as health information, social security numbers and other personally identifiable information. In addition, many states have enacted laws that have a similar aim. One such law that many states have enacted is a breach notification law that requires business entities to notify affected individuals when their personally identifiable information has been breached or compromised.

Kentucky is one of a handful of states that has yet to enact a breach notification law. However, on January 21, 2014, Representative Steve Riggs introduced HB232, which, if passed, would implement new standards and requirements to notify affected individuals in the event of a breach of their personally identifiable information. The Bill is now under consideration by the House Labor and Industry Committee. Continue reading →

The FTC: Watchdog for Privacy and Security of Sensitive Personal Data

January 21, 2014November 24, 2015 Ann Feldkamp Triebsch FTC Enforcement, Health Information Technology, HITECH Law, Privacy & Security Big Data, FTC Enforcement, Health Information Technology, Internet of Things, LabMD, Privacy & Security, privacy and security of health information exchange

Those who dwell in the world of health care privacy and security know well that the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is the federal agency that issues the regulations, provides guidance and ultimately enforces the complex requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic & Clinical Health Act of 2009(HITECH). But we also know, as citizens of the 21^st Century, that privacy and security concerns extend far beyond insurance claims and health records in our doctors’ offices. With every new smartphone we indulge in, every online purchase we make, every retail loyalty program for which we register, we share valuable chunks and tidbits of data about ourselves that now can be used to tell others far more about us than we ever would have dreamed possible, or probably desire. The internet and astounding connectivity of so many technological devices, both consumer and commercial, allow extremely private and sensitive information to be accessed by parties we do not know and cannot imagine, for both our benefit and detriment. Continue reading →