HIPAA Breach Notification Rule

On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  Third-party service providers also are required to notify covered vendors of any breach.
Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”

The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).  A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.”  See 16 C.F.R. § 318.2(d).  Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.
Continue Reading FTC to Consider Changes to the Health Breach Notification Rule

The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware.
Continue Reading FTC Announces it will Provide Guidance on Ransomware

By Anna Kraus

On December 27, 2013, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a HIPAA settlement with Adult & Pediatric Dermatology, P.C. (APDerm), a private dermatology practice with locations in Massachusetts and New Hampshire.  According to HHS, this is the first settlement based on a covered entity not having policies and procedures in place to address the breach notification requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Like other HIPAA investigations, this one began after HHS received notification of a breach of unsecured protected health information (PHI).  In October 2011, APDerm notified HHS that an unencrypted thumb drive, which contained electronic PHI relating to the surgeries of approximately 2,200 patients, was stolen from an employee’s vehicle and not recovered.  HHS found through its investigation that APDerm:

  • Did not conduct a proper risk assessment under the HIPAA Security Rule until one year later (October 2012);
  • Did not fully comply with the HIPAA Breach Notification Rule requirements to have written policies and procedures regarding breach notification, and to train workforce members on those policies and procedures, until February 2012; and
  • Committed an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule, when it gave an unauthorized individual access to the unencrypted thumb drive that was later stolen.

Continue Reading HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures

On June 11, the Department of Health and Human Services released an unofficial version of all of the HIPAA regulatory standards in one document.  The combined regulation text includes the following HIPAA standards:

  • Transactions and Code Set Standards
  • Identifier Standards
  • Privacy Rule
  • Security Rule
  • Enforcement Rule
  • Breach Notification Rule

The

Continue Reading HHS Releases Unofficial Set of Combined HIPAA Regulations

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule includes a number of changes that will significantly affect business associates.  Business associates are now directly subject to various aspects of the HIPAA Privacy, Security, and Breach Notification Rules.  Furthermore, liability now extends much further down the chain, as the new rule also applies these requirements to subcontractors of business associates.

We discuss these and other changes affecting business associates, and their subcontractors, below.Continue Reading HITECH Update # 7: New HIPAA Requirements for Business Associates and Their Subcontractors

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

The HITECH omnibus rule establishes a new standard for determining whether an unauthorized use or disclosure of unsecured protected health information (“PHI”) is a “breach” requiring notification.   Under the current Breach Notification Rule, covered entities are required to notify individuals of a breach involving their unsecured PHI, and business associates have a corresponding obligation to notify covered entities. The current rule states that an unauthorized use or disclosure of PHI is a “breach” if it poses a significant risk of financial, reputational, or other harm to the individuals affected.

The omnibus rule replaces the “risk of harm” test with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the covered entity or business associate “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.”  HHS stated that the omnibus rule establishes a presumption that uses or disclosures of PHI in violation of the Privacy Rule are “breaches” because HHS believes that many covered entities and business associates have construed the existing “risk of harm” standard as setting a higher bar than HHS intended.  Covered entities and business associates now have the burden of proving that there is a “low probability” that PHI has been compromised through a risk assessment that accounts for at least the following factors:

  1.  The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

All of these factors must be considered in combination.  If a covered entity or business associate determines that an unauthorized use or disclosure of PHI is not a breach, it will need to maintain documentation sufficient to overcome the presumption that PHI was compromised.  HHS suggests that these risk assessments allow for a more “objective” evaluation than the current “risk of harm” standard, and plans to provide further guidance on risk assessments that addresses “frequently occurring scenarios.”Continue Reading HITECH Update #3: HHS Revises Breach Notification Rule

By Anna Kraus

The U.S. Department of Health and Human Services has issued its long-awaited final omnibus rule modifying the privacy, security, enforcement, and breach notification regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rule is based on statutory changes under the Health Information Technology
Continue Reading HHS Issues Long-Awaited Final HITECH Regulations