Home > Resources > Multimedia Broadcasts > Podcasts > Data Breach Regulations

Data Breach Regulations


Corporate Compliance Manager with Meritain Health, Jennifer Moore, discusses the Department of Health and Human Services (HHS) Data Breach Regulations ("Breach Regulations"), which were issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act that was part of the American Recovery and Reinvestment Act (ARRA).
 
What you'll gain by tuning in:
 
  • You'll learn the definition of a covered entity and business associate as each relates to the protection of personal health information (PHI).
  • You'll be able to identify what qualifies as PHI data breach and what the notification process is once a breach is identified.
  • You'll learn about the harm threshold that you must run when determining if a breach of PHI has occurred
  • You'll be able to identify when notice must be given and to whom when a breach of PHI has occurred
  • You'll learn about the new annual reporting requirement to the Secretary of Health and Human Services that must occur no later than 60 days after the end of each calendar year
  • You'll learn about the stiff penalties HHS will be able to levy for noncompliance and how to avoid these by complying with the regulations.  
 
A quick overview on the Data Breach Regulations
 
The Department of Health and Human Services (HHS) Data Breach Regulations ("Breach Regulations")were issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act that was a part of the American Recovery and Reinvestment Act (AARA). ARRA was signed into law on February 17, 2009 and made a series of changes to HIPAA's Privacy and Security Rules.
 
Below are 5 points you need to know about breach regulations
 
  1. The data breach regulations apply to both covered entities and business associates.
  2. A breach is defined as acquiring, accessing, using or disclosing "unsecured" PHI that violates HIPAA's privacy rules that compromises the security or privacy of such PHI.  
  3. The data breach regulations apply when the breach "poses a significant risk of financial, reputational, or other harm to the individual." 
  4. New notice requirements have been added which include:
      a.  Individual notification within 60 days of the breach.
      b.  If the breach involves 500 or more individuals notices must be made to:
        i.    The individuals
        ii.    The media
        iii.   The Secretary of HHS 
      c. An annual notice requirement to the Secretary of HHS is now required as early as March 1, 2010 and annually thereafter.
  5. Penalties for non-compliance are dependent on the level of knowledge with the steepest tier being $50,000 per violation and up to $1.5 million for all such violation of an identical requirement or prohibition during a calendar year.