Web-Tones

HIPAA, HITECH & FTC Red Flags Rule

2009-07-15T14:44:03-04:00

HealthBlawg: Red Flags Rule: The FTC piles on, because HIPAA, ARRA and overlapping state laws just weren't enough. David has an excellent post summarizing the impact that the FTC's Red Flags Rule may have on healthcare providers.

As I have written about previously, there is a regulatory freight train coming that few in the healthcare industry see, although many are starting to get a sense that there is something "out there" heading their way. As a privacy lawyer, I help clients deal with these kinds of regulatory issues, not only within healthcare, but across industry sectors.

As a veteran of the technology industry it is clear to me that there is a convergence of law, policy and technology happening on a daily basis. It helps to have "bi lingual" partners due to the number of organizational stakeholders that need to weigh in on compliance issues.

Privacy and data security compliance is fast becoming a board room issue.

HITECH / HIPAA Compliance is Serious Business!

2009-07-14T22:21:27-04:00

Well yes it is but, then again we all need a little levity, and no one needs it more than a HIPAA lawyer or a HIPAA compliance officer.

Without a little humor, the HITECH alphabet soup might just drive you over the HIPAA edge. Listen and enjoy.

Copyright Holders Beware!

2009-07-14T17:13:00-04:00

Are You Gambling With Your Copyright By Entering That Photography Contest? : Owners, Borrowers & Thieves 2.0. Lots of copyright traps to fall into for the unwary. Most small businesses and independent contractors simply do not pay enough attention to the basics. A little education can go a long ways.

As an Internet Lawyer education is a big part of what I do.

HITECH/HIPAA Timelines?

2009-07-11T11:14:15-04:00

Here are some of the relevant timelines for HITECH/HIPAA compliance. Refer to the Subtitle-D table of contents below for a quick reference to the respective sections.

HITECH enactment (February 17, 2009) Tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410).

180 days post enactment (August 17, 2009) HHS and the FTC will promulgate interim regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA (i.e. because generally the organization that produces the PHR is not a "covered entity") or business associate agreements (Section 13402, 13407).

24 months post-enactment (February 17, 2011) HHS clarification regarding ability to pursue civil penalties when criminal penalties are not pursued (Section 13405).

36 months post-enactment (February 17, 2012) HHS is obligated to establish regulations that will allow individuals harmed by privacy and security violations to receive a percentage of any HHS monies collected related to civil fines regarding such violations.

DIVISION A: TITLE XIII—HEALTH INFORMATION TECHNOLOGY

SUBTITLE D-PRIVACY.

Sec. 13400. Definitions.

PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS

Sec. 13401. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions.

Sec. 13402. Notification in the case of breach.

Sec. 13403. Education on health information privacy.

Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.

Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format.

Sec. 13406. Conditions on certain contacts as part of health care operations.

Sec. 13407. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities.

Sec. 13408. Business associate contracts required for certain entities.

Sec. 13409. Clarification of application of wrongful disclosures criminal penalties.

Sec. 13410. Improved enforcement.

Sec. 13411. Audits.

PART 2—RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES; EFFECTIVE DATE; REPORTS

Sec. 13421. Relationship to other laws.

To learn more about HITECH and HIPAA see the HIPAA Survival Guide.

FTC Red Flags Rule & Health Care Providers?

2009-07-11T10:01:54-04:00

Many health care providers probably do not realize that they may be considered "creditors" under the FTC's Red Flags Rule, designed to prevent identity theft, usually involved with financial transactions, but which is increasingly spreading into other domains.

This is yet one more sign that protected health information (PHI) is going to be getting more attention as HHS pushes for the adoption of electronic health records. "The red flags rule is intended to address all forms of identity theft, including those involving the provision of health care," according to an FTC document.