HIPAA Compliance
HIPPA Compliance Attorneys
From an ethical and legal standpoint, the security and privacy of patients’ health information is an absolute necessity. The lawyers at Norman Spencer Law Group not only wholly agree with this fact, but we offer legal services to licensed healthcare professionals and facilities that handle personal and healthcare data.
With more than 10 years’ experience in the healthcare legal arena, our attorneys have counseled clients on potential data breaches under privacy and security laws, including the Health Insurance Portability and Accountability Act (HIPAA). We’ve also helped clients develop and execute data breach response plans, which include reporting to local, state and federal government agencies and responding to formal investigations.
Action in the Event of a Breach
A breach to the privacy or security of protected health information (PHI) is something that must be dealt with immediately. Contacting an experienced attorney as rapidly as possible is the wisest action to take. In the event of a breach, an investigation into the matter must completed, and timely notifications must be sent out to all those potentially impacted.
The Breach Notification Rule process is highly involved and must be adhered to in a timely manner. The legal team at Norman Spencer Law Group can help healthcare practitioners address the rule’s five crucial questions. They are:
- What is the extent and the nature of the protected health information involved?
- What types of identifiers were compromised, and how likely is the risk of re-identification?
- Who was the unauthorized individual who used the PHI, or to whom was the disclosure made?
- Was the PHI viewed or acquired?
- To what extent can your practice reduce the risks of harm?
Breach Notification Rule
HIPAA’s Breach Notification Rule was originally published in 2009, and it was updated in 2013.
Although it is extremely important provision of HIPAA, it’s also often overlooked.
The U.S. Department of Health and Human Services (HHUS) defines a breach as access, disclosure, use or acquisition of PHI that poses a serious risk of reputational, financial or other harm to an individual. The rule requires healthcare providers to show HHS that they have taken appropriate remedial action after a breach or disclosure of unsecured PHI has been discovered.
If healthcare practitioners are able to demonstrate appropriate remedial measures have been taken, they may limit or avoid their liability associated with the alleged breach. Remedial action can include notifying patients and other parties of the disclosure that compromised the privacy or security of their PHI.
The final rule published by HHS in 2013 included adjustments to HIPAA’s Privacy and Security Rules. One of the main areas affect by the update was the obligations of healthcare providers and their business associates to report breaches of protected health information.
Under the previous version of the rule, healthcare practitioners had some discretion when it came to reporting a breach, based on whether the compromised data would result in a serious risk of reputational or financial harm. Due to inconsistent application by healthcare practitioners, HHS updated the initial version of the rule.
The final rule includes the new standard, which presumes any authorized disclosure or use of unsecured protected health information is a reportable breach. The only way healthcare practitioners can rebut this presumption is by determining the PHI is not likely to have been compromised
Breach Notification Rule Nuances
The Breach Notification Rule has many nuances, and it’s up to licensed healthcare professionals to determine who they are required to notify. Depending on the exact circumstances, notifications may be required to be sent to:
- Patients affected by the compromise of unsecured protected health information
- The HHS secretary
- The media
Healthcare practitioners must also be aware of when their business associates are required to notify them in the event of a breach by the business associate.
Breach Notification Rule Penalties
When breaches occur, healthcare providers have a maximum of 60 days to issue breach notifications to the appropriate penalties. Failing to do so can result in financial penalties from the state attorneys general as well as the HHS Office for Civil Rights. The maximum penalty for violating the Breach Notification Rule is $1.5 million, although entities can incur even larger penalties of the notification delay extends beyond 12 months.
One healthcare entity that took 90 days to issue a breach notification in 2017 ended up with a financial penalty of $475,000. This underscores the importance of adhering to the rule and issuing notifications without delay.
If you believe a breach of PHI may have occurred, it’s imperative to seek legal help from an experienced attorney immediately. The lawyers at Norman Spencer Law Group are at your service. Our legal team is qualified to assist with issues related to the compromise of healthcare and other personal information, ensuring the rules are followed and your practice is protected. Contact our office to schedule a consultation today.
Services to licensed healthcare professionals and facilities that handle personal and healthcare data.
your practice has experienced a data breach, or
If you believe that a breach of PHI may have occurred, you should immediately seek legal assistance from an attorney qualified in these matters.
requires entities to notify patients when their PHI is used, disclosed or breached in a way that compromises the information’s privacy and security.
In 2017, Presense Health became the first HIPAA-covered entity to settle a case with the Office for Civil Rights solely for a HIPAA Breach Notification Rule violation – after it exceeded the 60-day maximum time frame for issuing breach notifications. Presense Health took three months from the discovery of the breach to issue notifications – A delay that cost the health system $475,000. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.
The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.Oct 4, 2017
HIPAA covered entities must ensure the HIPAA breach notification requirements are followed or they risk incurring financial penalties from state attorneys general and the HHS’ Office for Civil Rights.
Penalties for Violations of HIPAA Breach Notification Requirements
HIPAA’s Breach Notification Rule
What is HIPAA’s Breach Notification Rule?
The Breach Notification Rule, 45 CFR §§ 164.400-414, originally published in August 2009, is an extremely important but often overlooked provision of the Health Insurance Portability and Accountability Act (“HIPAA”). A breach (or compromise) to the security or privacy of protected health information (“PHI”) is defined by the U.S. Department of Health & Human Services (“HHS”) as acquisition, access, use or disclosure that “poses a significant risk of financial, reputational, or other harm to the individual.”
Among other things, the Breach Notification Rule requires health care providers (“Providers”) to demonstrate to HHS that the Provider has taken appropriate remedial measures following the discovery of breach or disclosure of unsecured PHI. Providers who can demonstrate such may avoid or limit their liability related to the alleged breach. Remedial measures include notice to patients and others of the impermissible use or disclosure that compromised the security or privacy of the PHI.
What is New about the Breach Notification Rule?
For providers already familiar with the Breach Notification Rule, it is important to recognize that the rule recently underwent significant changes. In January 2013, HHS published a final rule, including modifications to HIPAA’s Privacy and Security Rules. A main area affected by this update was the addition of obligations on Providers and their business associates to identify and report breaches of PHI. Under the previous “harm standard” Providers had discretion as to whether a breach was reportable, based on whether that breach would result in a significant risk of financial or reputational harm. But, HHS decided to change the “harm standard” due to its inconsistent application by Providers.
The new standard, as announced in the final rule, presumes that any unauthorized use or disclosure of unsecured PHI is a reportable breach. Providers can rebut that presumption only by determining there is a low probability that the PHI has been compromised.
There are many nuances to the Breach Notification Rule, and Providers must know whether they are required to notify: (1) the individual affected by the breach of unsecured PHI, (2) the Secretary of HHS, and/or (3) in certain circumstances, the media. In addition, Providers must know when their business associates are required to notify them if a breach occurs at or by the business associate.
If you believe that a breach of PHI may have occurred, you should immediately seek legal assistance from an attorney qualified in these matters.
In January 2013, HHS published a final rule, including modifications to HIPAA’s Privacy and Security Rules. A main area affected by this update was the addition of obligations on providers and their business associates to identify and report breaches of PHI.