Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010



Similar documents
Healthcare Practice. HIPAA/HITECH Act vs. the Washington Data Breach Notification Act. November 2009

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

COMPLIANCE ALERT 10-12

Community First Health Plans Breach Notification for Unsecured PHI

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

The ReHabilitation Center Buffalo Street. Olean. NY

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

POLICY AND PROCEDURE MANUAL

STANDARD ADMINISTRATIVE PROCEDURE

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

what your business needs to do about the new HIPAA rules

Checklist for HITECH Breach Readiness

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPAA Privacy Breach Notification Regulations

Data Breach, Electronic Health Records and Healthcare Reform

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Breach Notification Policy

Reporting of Security Breach of Protected Health Information including Personal Health Information Hospital Administration

How To Notify Of A Security Breach In Health Care Records

Information Privacy and Security Program. Title: EC.PS.01.02

New HIPAA Rules and EHRs: ARRA & Breach Notification

HIPAA Breach Notification Policy

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

M E M O R A N D U M. Definitions

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

Business Associate Agreement

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA 101. March 18, 2015 Webinar

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

Business Associate Agreement Involving the Access to Protected Health Information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

DATA BREACH CHARTS (Current as of December 31, 2015)

HIPAA BREACH RESPONSE POLICY

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Special Report The HITECH Act

January An Overview of U.S. Security Breach Statutes

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Security Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

New Privacy Laws Impacting the Health Care Work Place

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

Business Associates and HIPAA

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Violation Become a Privacy Breach? Agenda

Use & Disclosure of Protected Health Information by Business Associates

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

HIPAA NOTICE OF PRIVACY PRACTICES

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

What do you need to know?

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

My Docs Online HIPAA Compliance

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

51ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, 2014

HIPAA Privacy and Security

HIPAA Update Focus on Breach Prevention

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

The Basics of HIPAA Privacy and Security and HITECH

Michie's Legal Resources. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence Act of [Acts 1999, ch. 201, 2.

H. R Subtitle D Privacy

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

HIPAA In The Workplace. What Every Employee Should Know and Remember

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Transcription:

Healthcare Practice HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act February 2010

HIPAA/HITECH Background Healthcare Practice Stephen Rose srose@gsblaw.com 206.464.3939 Ext 1375 Larry Brant lbrant@gsblaw.com Nancy Cooper ncooper@gsblaw.com Carla DewBerry cdewberry@gsblaw.com Joy Ellis jellis@gsblaw.com David Gee dgee@gsblaw.com Roger Hillman rhillman@gsblaw.com Benjamin Lambiotte blambiotte@gsblaw.com Eric Lindenauer elindenauer@gsblaw.com Lam Nguyen-Bull hqnguyen@gsblaw.com Theresa Simpson tsimpson@gsblaw.com Emily Studebaker estudebaker@gsblaw.com Lowell Turnbull lturnbull@gsblaw.com Scott Warner swarner@gsblaw.com In 2003, the Health Information Portability and Accountability Act ( HIPAA ) became eective. The purpose of HIPAA was to provide baseline federal protections for personal health information held by healthcare providers (termed covered entities ) and give patients an array of rights with respect to that information. In 2009, HIPAA was supplemented and enhanced by the Health Information Technology for Economic and Clinical Health Act ( HITECH ). HITECH imposes stricter enforcement penalties and details notification requirements to patients should their health information be improperly disclosed. In short, HIPAA/HITECH aects a very wide range of healthcare providers from hospitals, doctors, chiropractors, nursing homes to pharmacies and health plan providers -- as well as business associates of those healthcare providers. Compliance with the HIPAA standards was required as of April 14, 2003 for most entities. HITECH has dierent compliance dates with many sections of HITECH requiring compliance by February of 2010. Enforcement What Covered Entities Need to Know The Oice for Civil Rights ( OCR ) is charged with responsibility for enforcing HIPAA. OCR seeks voluntary compliance but has power to impose significant civil monetary penalties for noncompliance. OCR may conduct compliance reviews and audits and investigate complaints alleging HIPAA violations. If OCR determines that a violation has occurred, OCR may impose a civil monetary penalty of up to $500,000 per violation up to a maximum of $1.5 million per year. OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA. HITECH provides OCR with significant enhancements of its enforcement capabilities. It is anticipated that the number and intensity of OCR investigations of alleged HIPAA violations will greatly expand with the implementation of the HITECH provisions. Following Federal and State Law HITECH imposes breach notification requirements should health information be improperly disclosed. In many instances a breach requiring patient notification under HIPAA/HITECH will also trigger notification under state law. The following chart is intended to compare the similarities and dierences between the HIPAA/HITECH and the Oregon Consumer Identity Theft Protection Act ( CITPA ), and outlines the definitions and notification requirements under both federal and state law.

GSBlaw.com Healthcare Practice Garvey Schubert Barer serves leading healthcare organizations across the Northwest, including hospitals, ambulatory surgery centers, managed care providers, long-term care facilities, physician organizations, clinical laboratory and pathology companies, genomic laboratories, medical device manufacturers, third-party payors, and healthcare associations. We understand the constraints facing the industry, and oer a wide range of services, including: Healthcare Practice Stephen Rose srose@gsblaw.com 206.464.3939 Ext 1375 Larry Brant lbrant@gsblaw.com Acquisitions, Consolidations, Mergers and Other Transactions Antitrust Bankruptcy Bond and Other Capital Financing Business and Corporate Federal and State Regulatory Advice Federal, State and Local Taxation Fraud and Abuse Regulation HIPAA Integrated Delivery Systems, Joint Ventures and Other Collaborative Arrangements IP and Technology Labor Relations and Employment Advice Litigation and Dispute Resolution Managed Care and Health Insurance Provider Reimbursement and RAC Audit Defense Quality Assurance Real Estate Nancy Cooper ncooper@gsblaw.com Carla DewBerry cdewberry@gsblaw.com Joy Ellis jellis@gsblaw.com David Gee dgee@gsblaw.com Roger Hillman rhillman@gsblaw.com Benjamin Lambiotte blambiotte@gsblaw.com We appreciate the economic, regulatory and competitive challenges facing the healthcare industry. Our goal is to partner with our clients, serving as trusted advisors to help our clients succeed in this competitive industry. Garvey Schubert Barer Garvey Schubert Barer is a full-service law firm with over 100 lawyers serving clients in the United States and abroad, with particular focus on the Pacific Northwest. From our five strategic locations, Beijing, New York, Portland, Seattle and Washington, D.C., we serve as outside counsel to established market leaders, newly launched enterprises and governmental bodies. Since its inception in 1966, GSB has served clients across virtually all industry sectors, including healthcare, technology, trade, transportation, maritime, financial services, real estate, communications and media, entertainment and Eric Lindenauer elindenauer@gsblaw.com Lam Nguyen-Bull hqnguyen@gsblaw.com Theresa Simpson tsimpson@gsblaw.com Emily Studebaker estudebaker@gsblaw.com Lowell Turnbull lturnbull@gsblaw.com Scott Warner swarner@gsblaw.com manufacturing. The firm provides comprehensive, practical solutions to Fortune 500 companies and a broad range of privately held companies, investment firms, financial institutions, not-for-profit organizations and individuals. 6

OREGON Comparison of the HIPAA/HITECH Act And the Oregon Consumer Identity Theft Protection Act (CITPA) TOPIC HIPAA/HITECH OREGON CITPA Notification to Media, Government Media, Government and/or Third and/or Parties Third Parties Media: If breach aects more than 500 residents of a state or jurisdiction. 26 Government-500 or More Aected: If breach aects 500 or more individuals, notice must be given to HHS contemporaneously with the notice being given to the aected the aected individual. individual. 27 Government-Fewer Than 500 Aected: If breach aects fewer than 500 individuals, covered entity shall maintain a log or other documentation of breaches and provide that information to HHS within 60 days after the end of each calendar year. 28 If breach aects more than 1,000 individuals notice must be given to all consumer reporting agencies 29 that compile and maintain reports on consumers on a nationwide basis. 30 26. 164.406. 27. 164.408 (b). 28. 164.408 (c). 29. Consumer reporting agency means a consumer reporting agency as described in the federal Fair Credit Reporting Act (15 U.S.C. 1681a(p)) as that Act existed on October 1, 2007. ORS 646A.602 (4). 30. ORS 646A.604 (6). Published October February 2010 2009 2009 2010 Garvey Schubert barer The information presented here is intended solely for informational purposes and is of a general nature that cannot be regarded as legal advice. OR_V3_H OR_V2_H

OREGON Comparison of the HIPAA/HITECH Act And the Oregon Consumer Identity Theft Protection Act ( CITPA ) TOPIC HIPAA/HITECH 1 OREGON CITPA Eective Date for Rule September 23, 2009 2007 Implementation Government Enforcement Begins Type of Information Covered Breach Notification Activator Breach Definition HHS will not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 days from the date of publication of the HITECH rules. (Approximately August 24, 2009 through February 20, 2010). Unsecured protected health information ( PHI ). 2 Discovery of a breach of unsecured PHI. 5 The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA which compromises the security or privacy of the PHI. 6 2007 Unencrypted 3 computerized data containing personal information. 4 Discovery of a breach if the breach materially compromises the security, confidentiality or integrity of personal information. Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information. 7 1. Refers to the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5). All section references below are to the HITECH Act. 2. Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary [of Health and Human Services] in guidance. 13402(h). This guidance was issued on April 17, 2009 and is published in the Federal Register at 74 FR 19006. 3. Encryption means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key. ORS 646A.602 (6). 4. Personal Information means a consumer s first name or first initial and last name in combination with any one or more of the following unencrypted data elements: (a) Social Security number; (b) Driver license number or state identification card number issued by the Oregon Department of Transportation; (c) Passport number or other United States identification card number; or (d) financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer s financial account, or any of the unencrypted data elements or any combination of the data elements ((a) through (d)) not combined with the consumer s first name or first initial and last name if the information obtained would be suicient to permit a person to commit identity theft against the consumer whose information was compromised. ORS 646A.628 (11). 5. A breach is treated as discovered as of the first day on which the breach is known by the covered entity or, by exercising reasonable diligence would have been known to the covered entity. 164.404. 6. Compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual. 164.402 (1)(i). 7. ORS 646A.602 (1)(a). 2 GSBlaw.com

OREGON TOPIC HIPAA/HITECH OREGON CITPA Exceptions to Breach Definition 1. Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of the covered entity or business associate if done in good faith and within the scope of authority granted and does not result in further use or disclosure in a manner not permitted under HIPAA. 8 2. Inadvertent disclosure between persons authorized to have access by the same covered Good-faith acquisition of personal information by an employee or agent for a legitimate purpose provided that the personal information is not used in violation of applicable laws or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information. 11 entity or business associate or organized health care arrangement and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under HIPAA. 9 3. Disclosure of PHI where the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the PHI. 10 Direct Notification Written notice by first-class mail to the individual at the last known address of the individual or, if the individual agreed to electronic notice, by electronic mail. 12 May be provided by one of the following methods: 1. Written notice, 13 or 2. Electronic notice if the customary method of communication with the consumer is by electronic means, or 3. Telephone notice provided the contact is made directly with the aected person. 14 Substitute Notification When Allowed Allowed when there is insuicient or out-ofdate contact information that precludes written notification. 15 15 Cost of providing notice would exceed $250,000 and number of aected individuals exceeds 350,000 or if suicient contact information for aected individuals is lacking. 16 16 8. 164.402 (2)(i). 11. ORS 646A.602 (1)(b). 14. 14 ORS 646A.604 (4) (a)-(c). 9. 164.402 (2)(ii). 12. 164.404 (d)(1). 15. 15 164.404 (d)(2). 3 10. 164.402 (2)(iii). 13. The statute does not define the term written notice. 16. 16 ORS 646A.604 (4)(d).

Comparison of the HIPAA/HITECH Act And the Oregon Consumer Identity Theft Protection Act (CITPA) TOPIC HIPAA/HITECH OREGON CITPA Substitute Notification Method of Delivery 1. If fewer than 10 individuals are to be notified, substitute notice may be provided by an alternative form of written notice, telephone, or other means. 17 2. If more than 10 individuals are to be notified, substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of the web site of the covered entity, or conspicuous notice in major print or broadcast media in geographic areas where the individuals aected by the breach likely reside. 18 Conspicuous posting of the notice or a link to the notice on the Internet home page of the company responsible for the breach and notification to statewide television and newspaper media. 19 Notification Deadlines Deadlines Notification is to be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. 20 Immediately upon discovery of the breach. 21 Delay in Notification Delay in Notification Allowed? Allowed? Notification Notification Information Information Allowed for 30 days if law enforcement oicial Allowed for 30 days if a law enforcement oicial states to the covered entity or business associate that states to the covered entity or business associate that notification would impede criminal investigation or notification would impede a criminal investigation or cause damage to national security. Delays of more cause damage to national security. Delays of more than 30 days allowed only if law enforcement oicial than 30 days allowed only if law enforcement oicial makes written request. makes a written request. 1. A brief description of what happened, including 1. A the brief date description of the breach of what and happened, the date of including the the discovery date of of the the breach breach, and if known; the date of the 2. discovery A description of the of breach, the types if known; of PHI involved in the 2. A breach; description of the types of PHI involved in the 3. breach; Steps individuals should take to protect 3. Steps themselves individuals from potential should take harm to protect resulting from themselves breach; from potential harm resulting from the 4. breach; Brief description of what the covered entity 4. Brief is doing description to investigate, of what mitigate, the covered and protect entity is doing against to any investigate, further breaches; mitigate, and and protect against 5. any Contact further procedures breaches; for and individuals to ask 5. Contact questions procedures or learn additional for individuals information to ask which questions shall include or learn a toll-free additional telephone information number, which an shall e-mail include address, a toll-free web site, telephone or postal number, address. an 24 e-mail address, web site, or postal address. 24 Allowed if law enforcement agency Allowed if a law enforcement agency determines that notification will determines that notification will impede criminal investigation and impede a criminal investigation and the law enforcement agency makes the law enforcement agency makes written request that notification be a written request that notification be delayed. 23 delayed. 23 1. A description of the incident in 1. A general description terms; of the incident in 2. general The approximate terms; date of the 2. The breach; approximate date of the 3. breach; The type of personal information 3. The obtained type of as personal a result of information the obtained breach; as a result of the breach; 4. 4. Contact information of of company responsible for for the the breach; 5. 5. Contact information for for national consumer reporting agencies; and 6. Advice and to aected individual on 6. how Advice to report to aected suspected individual identity on theft how to to report law enforcement suspected and identity the Federal theft to Trade law enforcement Commission. and 25 the Federal Trade Commission. 25 17. 164.404 (d)(2)(i). 18. For this substitute notice the covered entity must also establish a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual s unsecured PHI may be included in the breach. 164.404 (d)(2)(ii). 19. ORS 646A.604 (4)(d) (A)-(B). 20. 164.404 (b). 21. ORS 646A.604 (2). 22. 164.412. 23. ORS 646A.604 (3). 24. 164.404 (c). 25. AS 45.48.010 (a). 4

Portland Bank of America Financial Center 121 SW Morrison Street 11th Floor Portland, OR 97204-3141 503.228.3939 Tel 503.226.0259 Fax Seattle Second & Seneca Building 1191 Second Avenue 18th Floor Seattle, WA 98101-2939 206.464.3939 Tel 206.464.0125 Fax

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information