privacy and security of protected health information

New Kentucky Data Breach Rules Go into Effect

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security , , , ,
Kentucky imposes new security and data breach notification requirements.
Kentucky imposes new security and data breach notification requirements.

In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach notification requirements. Some level of comfort may be taken by health care providers, health insurance companies, banks, or others who are subject to either the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or Title V of the Gramm-Leach-Bliley Act of 1999, as at least HB 232 appears to exempt them.  However, questions remain as to whether HIPAA-covered entities and banks are exempt under HB 5 when they have a contract with a state agency and receive personal information from the agency.  Hopefully this issue will be sorted out in the rule-making to come, before additional requirements of HB 5 kick in on January 1, 2015.

Continue reading

March 1, 2014 is Deadline to Report Breaches Affecting Less than 500

Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , ,

strike before midnightSaturday, March 1, 2014, is the deadline for entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) all “small breaches” of unsecured protected health information that occurred during 2013.  Entities subject to this deadline include a health care provider that conducts certain transactions in electronic form, health plans and health care clearinghouses.  A “small breach” is a breach affecting less than 500 individuals.

Although affected individuals must be notified within 60 days of the breach’s discovery, the breach itself also must be reported to OCR within 60 days of the close of the calendar year in which it was discovered, or by March 1 of the following year.  The notice must be submitted electronically.  A separate breach notification form must be completed for each breach.  To submit breach notification reports to OCR, click here.

Remember: HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule, has a new definition of a “breach” that became effective March 26, 2013.  It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any loss, theft or potential unauthorzed access to unsecured protected health information, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo. If a LoProCo analysis is not done, a breach is presumed and, even if under a LoProCo analysis it would not have been a breach, a loss, theft or unauthorized access of unsecured protected health information must be reported as a breach to OCR.  For more information about the LoProCo analysis, see our previous post on December 1, 2013, here.

Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

Erin Brisbay McMahon Federal Law Resources, Health Information Technology , , , , ,

HITECH EHR Incentive Program PaymentsThe Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What lessons can be learned? Continue reading

Who Accessed My Health Records? Recommendation for Quality over Quantity in Access Reports

Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , , , ,

By Kathie McDonald-McClure, Ann F. Triebsch and Margaret Young Levi

Group of Healthcare Professionals
Accounting for Disclosures Would Include Disclosures of PHI to All Staff

The Office of National Coordinator (ONC) Health IT Policy Committee voted in December 2013 to recommend that the United States Department of Health & Human Services (HHS) scale back its 2011 proposed rules requiring covered entities to provide patients with reports showing the name of every staff member who accessed their information in an electronic health record (EHR). As reported by Government Health IT, the committee’s Privacy and Security Tiger Team opposes a requirement that entities covered by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) give such broad “accounting of disclosure” reports to patients. Continue reading

Don’t Forget to Protect your Paper Health Records!

Margaret Young Levi Electronic Health Records, Health Information Technology, Privacy & Security , ,

191563_blog_medical%20RecordsEven as health care providers have moved to convert from paper to electronic health records, it remains just as important to continue to protect paper health information records.  While the majority of data breaches involve mobile devices such as laptops and flash drives, a significant number of large data breaches (those affecting 500 or more individuals) Continue reading