Breach Notification Deadline is February 29th

February 16, 2024March 1, 2024 Margaret Young Levi data breach; notification, Data Privacy & Security Breach Notification, Cyber Security, data breach, healthcare sector, HHS OCR Deadline, HIPAA

By: Margaret Young Levi

Head’s up! The deadline for notifying the Office for Civil Rights (OCR) of healthcare data breaches affecting fewer than 500 individuals is early this year. Reports of small data breaches may be submitted to OCR annually, usually on March 1st, but because 2024 is a leap year, the reports are due on or before Thursday, February 29^th.

The HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, requires HIPAA covered entities to provide notification following a breach of unsecured protected health information (PHI) to affected individuals, to OCR, and, in certain circumstances, to the media.

HIPAA covered entities must notify all individuals whose PHI has been impermissibly used or disclosed without unreasonable delay, and in no case later than 60 days from the discovery of a breach.

Reporting to OCR is accomplished by electronically submitting a breach report form. If a breach affects 500 or more individuals, then covered entities must submit the breach report to OCR without unreasonable delay and in no case later than 60 days following a breach. If, however, the breach affects fewer than 500 individuals, then the covered entity may choose to submit such breach reports on an annual basis. (Note that covered entities must submit a separate breach report for each breach incident and cannot combine them.) Annually submitted breach reports are due to OCR no later than 60 days after the end of the calendar year in which the breaches are discovered, which falls on February 29, 2024. In addition to notifying the individual and OCR, covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more. Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

FTC Warns That Health Apps Must Notify Consumers of Data Breaches

October 11, 2021 Margaret Young Levi Data Privacy & Security data breach, Federal Trade Commission, Health Apps

By: Margaret Young Levi

On September 15, 2021, the Federal Trade Commission (FTC) issued a Policy Statement cautioning that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule and notify consumers when their health data is breached.

The Health Breach Notification Rule (codified at 16 C.F.R. § 318) protects individually identifiable health information created or received by vendors of personal health records. The Rule requires vendors of personal health records to notify U.S. consumers, the FTC, and sometimes the media when there has been a breach of security of unsecured identifiable health information. Persons that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation, per day.

The Health Breach Notification Rule became effective in 2009, but the FTC has not enforced it to date. However, because health care applications continue to proliferate and to collect increasingly personal and sensitive health information, the FTC issued this Policy Statement to place health apps on notice that the Rule will be enforced going forward and to clarify that they are considered to be “vendors of personal health records” covered under the Rule.

The FTC explains that the developer of a health app or connected device is considered a “vendor of personal health records” under the Rule if it is capable of drawing information from multiple sources, such as a combination of direct inputting by a consumer, syncing with a consumer’s fitness tracker, or even interfacing with the phone calendar. The Rule does not apply to vendors of personal health records who are already covered by HIPAA.

In addition, the FTC reminds vendors of personal health records that a “breach of security” is not limited to cyberattacks by third parties, but includes any acquisition of identifiable health information of an individual in a personal health record without the individual’s authorization. The FTC states that “[i]ncidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.”

If a breach occurs, then health apps should examine state data breach notification laws to determine if they apply as well.

HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

February 5, 2021July 15, 2021 Kathie McDonald-McClure Data Privacy & Security, HIPAA, HITECH Law "recognized security practices", 21st Century Cures Act, administrative physical technical safeguards, cyber attack, data breach, HIPAA Security Rule

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021. This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA).

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule.

Continue reading →

OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

January 30, 2017January 30, 2017 Margaret Young Levi Data Privacy & Security, HIPAA, Privacy & Security data breach, data privacy, Federal Law Resources, OCR, protected health information

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading →

LabMD Appeals; Court Grants Temporary Stay

December 2, 2016December 5, 2016 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, HIPAA, Privacy & Security data breach, Federal Trade Commission, FTC, LabMD

In a recent blog post entitled “FTC Issues Final Order and Data Security Lessons in LabMD Case,” we discussed the Federal Trade Commission (“FTC”)’s Final Order in the LabMD case. The FTC found that LabMD failed to provide reasonable and appropriate security for its customers’ personal information and that this failure caused (or was likely to cause) substantial consumer harm constituting an unfair act in violation of the law. It ordered LabMD to implement a number of compliance measures, including creating a comprehensive information security program, undergoing professional routine assessments of that program, providing notice to any possible affected individual and health insurance company, and setting up a toll-free hotline for any affected individual to call. Although LabMD has closed its doors and has limited resources to comply with the FTC’s Final Order, it appealed the Final Order to the U.S. Court of Appeals for the Eleventh Circuit. At the same time, it sought a stay from the FTC, which would halt these compliance measures pending the court’s review. The FTC denied the stay, so LabMD then asked the Eleventh Circuit to grant the stay.

On November 10, 2016, the Eleventh Circuit granted LabMD’s motion to stay enforcement of the Final Order pending appeal. A copy of the court’s Order granting the stay is available here. When issuing the stay, the court found that there existed a serious legal question as to Continue reading →