The Bridge - August 2013 - (Page 5)

Final rule makes changes to HIPPA regulations and HITECH Act and could lead to more breach notifications By Michael Sullivan of William Gallagher Associates On January 25, the Department of Health and Human Services (HHS) released its “Final Rule”, an update to several privacy and security protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA.) Along with protecting a patient’s privacy and providing individuals with rights to access their health information, the rule modifies the definition of breach for protected health information (PHI). The guidelines apply to both healthy volunteers as well as patient volunteers suffering from a chronic but stable condition not related to the target disease, where the administration of medicine is to obtain additional pharmakinetic data about the medicine under research. Trials in which a patient with the target disease is being treated with the medicine being studied are exempt from the updated guidelines. The Breach Notification Rule, mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) was originally issued in 2009 as an “interim final rule” and was defined as a use or disclosure of PHI that caused “a significant risk of financial, reputational or other harm to the individual.” This meant that any covered entity (CE) under HIPAA could determine whether or not a breach had occurred by conducting a risk of harm assessment, analyzing the individuals affected by the incident that involved the PHI. Covered entities could also use this analysis to determine whether or not the incident required notification to HHS and the content of that notification. The Final Rule also affects the liability of vendors, or business associates (BA’s – lawyers, consultants, medical transcriptionists, etc.) who have access to PHI. BA’s are now directly liable for compliance breaches for: 1. The nature and extent of the PHI involved 2. Any unauthorized person who used the PHI or to whom the breach was made 3. Whether or not the PHI was actually viewed or acquired 4. The extent to which the risk to the PHI has been mitigated Breaches must be reported to HHS within a certain time period as well, depending on the number of people involved. Large breaches, (500 people or more), must be reported as soon as the affected patient has been notified. For breaches involving fewer than 500 people, a CE or BA must notify HHS within 60 days of the last day of the preceding calendar year in which the breach was discovered. In addition, CE’s and BA’s should expect frequent requests for information about the breach from the Office for Civil Rights, which holds enforcement authority of the Privacy and Security Rules of HIPAA. While the Final Rule becomes effective March 26, CE’s and BA’s will have up to 180 days (until September 22, 2013) to comply with the new regulations. According to HHS, HITECH does not pre-empt state law, and considers state regulation as the primary basis for PHI. Some states may have stricter rules than others regarding timeliness of breach notification, notification to state agencies and the content of the notification. Therefore, organizations should seek counsel on these issues to ensure they are in compliance with state laws. So what can CE’s and BA’s do to prepare for the Final Rule? The following should be considered: 1. The nature and extent of the PHI involved 2. Any unauthorized person who used the PHI or to whom the breach was made Under the new rule, HHS has declared that any impermissible 3. Whether or not the PHI was actually viewed or acquired use or disclosure of PHI is considered a breach, unless the CE 4. The extent to which the risk to the PHI has been mitigated can prove that the PHI has not been compromised. Rather than focusing strictly on the individuals harmed from the breach, Cyber Insurance should be considered for any CE’s or BA’s CE’s must assess the risks related to a variety of factors, in- that are affected by the final rule. In addition to proving covercluding: age for third party privacy lawsuits, this can also include coverage for costs incurred by the CE or BA associated with notifica1. The nature and extent of the PHI involved tion costs, credit monitoring services, forensics, public relations 2. Any unauthorized person who used the PHI or to whom the or defense costs in relation to a regulatory action. breach was made 3. Whether or not the PHI was actually viewed or acquired 4. The extent to which the risk to the PHI has been mitigated 5 Golden Gate Chapter August 2013

Table of Contents for the Digital Edition of The Bridge - August 2013

The Bridge - August 2013
Editor’s Corner
Contents
President’s Message
Final Rule Makes Changes to HIPPA Regulations and HITECH Act and Could Lead to More Breach Notifications
Relationships in Business
Effective Change Management for Sustainable Records Future
Records Management: What it Means for Legal Services Professionals
Change is Good: E-Discovery and the Modern Practice of Law
2012– 2013 Fiscal Years Financial Report
August Event
Salary Survey Order Form
Test Yourself
Job Bank
Member Anniversaries
2013 Business Partners
Golden Gate Chapter Leadership
August 2013 Calendar

The Bridge - August 2013

https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20170304
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20170102
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20161112
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20160910
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20160708
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20160506
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20160304
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20160102
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20151112
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20150910
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20150708
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20150506
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20150304
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20150102
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20141112
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20140910
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_20140708
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201405
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201403
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201401
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201312
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201311
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201310
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201309
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201308
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201307
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201306
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201305
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201304
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201303
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201302
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201301
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201212
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201211
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201210
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201209
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201208
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201207
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201206
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201205
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201204
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201203
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201202
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201201
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201112
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201111
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201110
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201109
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201108
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201107
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201106
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201105
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201104
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201103
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201102
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201101
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201012
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201011
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201010
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201009
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201008
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201007
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201006
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201005
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201004
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201003
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201002
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_201001
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_200912
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_200911
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_200910
https://www.nxtbook.com/nxtbooks/elawmktg/thebridge_200909
https://www.nxtbookmedia.com