HIPAA Final Rule 2013-Data Breach Notification

Posted on January 20, 2013 by Vijayashankar Na

Data Breach Notification (DBN) has been one of the most contentious issues of HIPAA regulations. Presently breach of unsecured protected information either at the Covered Entity or at the Business Associate entity needs to be reported to the affected individuals, the HHS and the media by the Covered Entity. While public want such a disclosure, business organizations were vary of the disclosure because of the possibility of loss of reputation and creation of panic on account of innocuous and accidental breaches.

Taking into consideration both sides of the arguments the Final rule has made the following suggestion.

“Breach notification is not required if the covered entity/Business Associate can demonstrate through a risk assessment that there is a low probability that the PHI has been compromised”

The final rule has also provided some guidelines for the risk assessment to state that the following aspects need to be considered along with any other relevant matters,

(1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(2) the unauthorized person who used the protected health information or to whom the disclosure was made;
(3) whether the protected health information was actually acquired or viewed; and
(4) the extent to which the risk to the protected health information has been mitigated.

As a corollary, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors.

Such risk assessment must be conducted following both impermissible uses and disclosures (that do not otherwise fall within the other enumerated exceptions to breach).

Covered entities and business associates need to investigate an impermissible use or disclosure to determine if the protected health information was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.

Further, Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised.

A “post suspected breach audit” is therefore mandatory.

It is also clarified that for determining the time when the notice is to sent, the period is to be calculated “from the date of discovery” and not from the date of occurrence. However it is reiterated that the 60 day limit is only an outer limit and the notice has to be provided within a reasonable time at the earliest.

Naavi

Posted in HIPAA | Leave a comment

HIPAA Final Rule 2013-Definitions

Posted on January 20, 2013 by Vijayashankar Na

The HIPAA final rule 2013 made effective from March 26, 2013 makes a few important changes in the definitions.

Firstly, the definition of “Business Associate” has been expanded to include “Patient Safety Organizations”.  Hence Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records will be considered as “Business Associates” and such Business Associates will be directly covered under the obligations of Privacy, Security and Enforcement rules.

Secondly, any “Sub Contractor” of the business associate will also be considered as covered under the provisions of the Final rule as applicable for Privacy, Security and Enforcement. For this purpose, a Sub Contractor means “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”. Hence the provision of obtaining satisfactory assurances for meeting HIPAA obligations extend to Sub Contractors as much as the primary business associates.

The third definitional aspect that is modified by the Final rule is to define that the ter “PHI” extends to the information of a deceased person upto a period of 50 years after death.

Naavi

Posted in HIPAA | Leave a comment

HIPAA Final Rule 2013-Background

Posted on January 20, 2013 by Vijayashankar Na

HIPAA Privacy and Security rules are covered under

1. The HIPAA Privacy Rule, (45 CFR Part 160 and Subparts A and E of Part 164,)

2. The HIPAA Security Rule,( 45 CFR Part 160 and Subparts A and C of Part 164,)

3. The HIPAA Enforcement Rule,( 45 CFR Part 160, Subparts C – E)

Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted on February 17,2009, as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111-5, modifies certain provisions of the Social Security Act pertaining to the HIPAA Rules, as well as requires certain modifications to the Rules themselves, to strengthen HIPAA privacy, security, and enforcement.

The HITECH Act also provides new requirements for notification of breaches of unsecured protected health information by covered entities and business associates.

In addition, the Genetic Information Nondiscrimination Act of 2008 (GINA) calls for changes to the HIPAA Privacy Rule to strengthen privacy protections for genetic information. This final rule implements the modifications required by GINA, as well as most of the privacy, security, and enforcement provisions of the HITECH Act. This final rule also includes certain other modifications to the HIPAA Rules to improve their workability and effectiveness.

Some of the proposed, and now final, changes are necessitated by the statutory changes made by the HITECH Act and GINA, while others are of a technical or conforming nature.

Naavi

Posted in HIPAA, Uncategorized | Leave a comment

HIPAA Final Rules 2013- An Omnibus Rule

Posted on January 20, 2013 by Vijayashankar Na

The HIPAA Final Rules announced with effect from 26th March 2012 comprises of four final rules. Hence it is being referred as the “Omnibus Final Rule”.

They are,

1.Final Modifications with improvements to the proposed rule of July 14, 2010 under HITECH Act. They are

a) Make Business Associates directly liable for compliance with relevant parts of the Privacy and Security rule
b)Strengthen the limitations on the use and disclosure of PHI for marketing
c) Expand individual’s right to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
d)Require modifications to and redistribution of a covered entity’s notice on privacy practices
e)Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to descendent information by family members or others
f) Adopt the additional HITECH Act enhancements to the enforcement rule not previously adopted in the October 30, 2009 interim final rule such as non compliance due to wilful neglect.

2. Final Rule adopting changes to HIPAA Enforcement rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
3. Final rule on Breach Notification for Unsecured PHI
4.Final Rule modifying the HIPAA Privacy Rule as required by the Genetic Information Non Discrimination Act (GINA)

Naavi

Posted in HIPAA, Uncategorized | Leave a comment

Privacy Rule under HIPAA-HITECH Act expanded

Posted on January 18, 2013 by Vijayashankar Na

HHS, the department of Health and Human Resources has revised the Privacy and Secuirty Rule and broadened its reach particularly for the Business Associates.

Since many Indian entities work as Business Associates of HIPAA covered entities this development is of relevance to their activities. Related report : Press Release

The directions will be effective from March 26, 2013. Compliance deadline is 180 days from this date, which will be 23rd September 2013.

The rule

a) clarifies when breaches of information must be reported to the Office for Civil Rights,

b) sets new rules on the use of patient-identifiable information for marketing and fundraising, and

c) expands direct liability under the law to the “business associates” of hospitals and physicians and other “HIPAA-covered entities.”Those associates might include a provider’s healthcare data-miners and health information technology service providers.

d) It also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.

These changes will be incorporated with immediate effect in the forthcoming HIPAA-HITECH Act audits conducted by Naavi and Ujvala Consultants Private Limited.

Naavi

Posted in HIPAA, Privacy, Uncategorized | Leave a comment

Aaron Swartz is a victim of Bad application of law

Posted on January 17, 2013 by Vijayashankar Na

Aaron Swartz, the young techie who committed suicide on the 11th of Januaru represents a tragedy that could have been prevented if the Police had been more reasonable.
Swartz was deeply involved in the campaign against “Stop Online Piracy Act” (SOPA) which was seen as an act that would have made it easy for the US Government to shut down sites for copyright violations and in the process would have curbed some of the fundamental rights associated with the early concept of Internet as a vehicle of free information.

Swartz was being prosecuted for unauthorized downloading of material from JSTOR data base which he felt was a fight against the inappropriate use of Copyright law where publishers got more benefit than authors. See here for details

It is alleged that the US prosecutors tried to demand higher punishments by invoking Computer Fraud and Abuse Act and thereby trying to enhance the possible punishment from around 6 months to 35 years.

In the tech circles, Swartz is seen as a crusader who lost his life because of bad implementation of law.

For a long time the untimely death of Aaron Swartz will continue to disturb internet activists.

Naavi

Posted in Netizen's Forum, Uncategorized | Leave a comment