Newly Enacted HIPAA Security Breach Notification Requirements Raise New Risks For Employers
Employershave good reason to re-evaluate their HIPAA compliance efforts. Recentenforcement actions by the U.S. Department of Health and Human Services(HHS) that resulted in large settlement payments signal more pronouncedefforts to enforce HIPAA’s compliance requirements. These enforcementactions were driven by publicly disclosed security breaches thatbrought compliance lapses to HHS’ attention.
Recent amendments to the HIPAA Privacy Rule, enacted as part of themassive federal economic stimulus legislation, will fuel this“breach-driven enforcement.” Under existing law, the HIPAA Privacy Rulecontains no security breach notification requirement. EffectiveFebruary 17, 2010, however, employers will be required to take thefollowing steps when they learn that the “unsecured” protected healthinformation (PHI) of participants in HIPAA-covered plans has beensubjected to unauthorized access, use or disclosure:
• Notify major media outlets and HHS if a breach involves 500 or more plan participants
• Notify affected individuals within 60 days of becoming aware of the breach
• Provide in the notice to individuals, at a minimum, five specific categories of information
• Deliver the notice by first-class mail to each affected individual’s last known address
This notice obligation applies regardless of whether the employer ora third-party service provider, such as a benefits administrator,pharmacy benefits manager, or insurance broker is responsible for thebreach.
Continue Reading...
0 comments