health care and information privacy law alert
play

Health Care and Information Privacy Law Alert A Corporate - PDF document

Health Care and Information Privacy Law Alert A Corporate Department Publication March 2009 This Health Care and Information Privacy HITECH Act Brings New Vigor to HIPAAs Law Alert is intended to provide general Privacy and Security Rules


  1. Health Care and Information Privacy Law Alert A Corporate Department Publication March 2009 This Health Care and Information Privacy HITECH Act Brings New Vigor to HIPAA’s Law Alert is intended to provide general Privacy and Security Rules info rmatio n fo r c lie nts o r inte re ste d individuals and should not be relied upon On February 17, 2009, President Obama signed into law the American Recovery as le gal advic e . Ple as e c o ns ult an attorney for specific advice regarding and Reinvestment Act of 2009 (ARRA). Title XIII of ARRA, the Health Information your particular situation. T echnology for Economic and Clinical Health Act (the HITECH Act), significantly changes the landscape of federal privacy and security law as it relates to Ann M. Caresani Ann M. Caresani Ann M. Caresani Ann M. Caresani Ann M. Caresani protected health information (PHI). 216-443-2570 The HITECH Act, among other things, (i) creates new data breach notification acaresani@ porterwright.com requirements for breaches of unsecured PHI, (ii) expands the list of entities Theodore G. Fisher Theodore G. Fisher Theodore G. Fisher Theodore G. Fisher Theodore G. Fisher considered to be business associates (Business Associates) under the HIPAA 614-227-2040 Privacy and Security Rule and for the first time makes Business Associates tfisher@ porterwright.com directly subject to these Rules, (iii) modifies the Privacy Rule in several respects, Brian D. Hall Brian D. Hall Brian D. Hall Brian D. Hall Brian D. Hall and (iv) strengthens the enforcement provisions of HIPAA. 614-227-2287 bhall@ porterwright.com No No No Notif No tifications of Data Breach tif tif tif ications of Data Breach ications of Data Breach ications of Data Breach ications of Data Breach Richar Richar d J. Helmreich d J. Helmreich Richar Richard J. Helmreich Richar d J. Helmreich d J. Helmreich The HITECH Act’s data breach notification requirements apply to covered entities, 614-227-2088 rhelmreich@ porterwright.com such as health plans, health care providers, and health care clearing houses (Covered Entities) and, to a lesser extent, to Business Associates. The notification R Rober R R R ober ober ober obert J. Morgan t J. Morgan t J. Morgan t J. Morgan t J. Morgan requirements are similar to those contained in data breach laws that have been 614-227-2186 enacted in a majority of states. Most of the state data breach laws, however, rmorgan@ porterwright.com spe c ific ally exe mpt Cove re d Entitie s fro m any no tific atio n o r disc lo sure James H. Prior James H. Prior James H. Prior James H. Prior James H. Prior obligations. Under the HITECH Act, Covered Entities, many of which may be 614-227-2008 unfamiliar or unaware of typical state data breach notice requirements, must jprior@ porterwright.com now prepare themselves to respond — quickly and properly — to a data breach Donna M. R Donna M. R Donna M. Ruscitti Donna M. R Donna M. R uscitti uscitti uscitti uscitti event. 614-227-2192 druscitti@ porterwright.com Under the HITECH Act, a data breach notification requirement is triggered when Richar Richar Richard G. T Richar Richar d G. T d G. Terapak d G. T d G. T erapak erapak erapak erapak a Covered Entity that accesses, maintains, retains, modifies, records, stores, 614-227-4301 destroys, or otherwise uses unsecured PHI (UPHI) knows or reasonably should rterapak@ porterwright.com have known that UPHI has been accessed, acquired, or disclosed as a result of Je re m Je re m y A y A . Logsdon . Logsdon Je re m Je re my A Je re m y A y A. Logsdon . Logsdon . Logsdon a “breach.” A breach is defined as the unauthorized acquisition, access, use, or 614-227-2093 disclosure of PHI that compromises the security of such information. Upon jlogsdon@ porterwright.com triggering the data breach notification requirement, Covered Entities must follow K K Kenne K K enne th K. Rathburn enne enne enne th K. Rathburn th K. Rathburn th K. Rathburn th K. Rathburn specific content, timing, and method requirements as outlined in the HITECH 614-227-2128 Act: krathburn@ porterwright.com • Timing: All notices must be made within 60 days from when the Covered Ple ase se e our othe r publications at Entity be co me s aware o f the bre ach (subje ct to law e nfo rce me nt www.porte rwright.com/publications. requests to delay such notice).

Recommend


More recommend