Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment

Environment

FERPA

GLB/Security

Harassment

HIPAA
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar       Compliance Partners        Links
 

Welcome to the HIPAA section of our webpage. 

This front page will reflect our most current information on HIPAA issues affecting educational institutions.

 

Interim Final Rule, Request for Comments; 74 Fed. Reg. 56123 (October 30,2009) HIPAA Revised Civil Monetary Penalties (amends 45 CFR Part 160)

Effective Nov. 30, 2009, this rule conforms the enforcement provisions of HIPAA to the revisions made by the HITECH Act. There are tiered ranges of civil money penalty amounts, and revised limitations on the Secretary's authority to impose civil money penalties for established violations of HIPAA's Administrative Simplification rules (HIPAA rules).

 

 

Breach Notification for Unsecured PHI, Interim Final Rule, 74 Fed. Reg. 42740, August 24, 2009

Effective Sept. 23, 2009. Covered entities and business associates must provide notification in cases of breach of unsecured PHI that endangers the security or privacy of PHI. Unsecured means not protected through a technology or method included in the HHS Guidance and also updated in the above interim final rule.  The time, method and content of providing notice is included in this rule. This was required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of ARRA. Notification must go to the affected individuals, HHS, and in some cases, the media. Also, the business associate must notify the covered entity of any breaches. Those entities that secure health information as directed do not have to notify in the event of a breach. Encryption (of electronic data) and destruction (of paper data) are the only two methodologies that have been deemed secure.

 

The law defines a breach as the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.  If the information is de-identified it is not protected health information or *PHI* and thus there is no breach if it is inadvertently disclosed.  The information has to be *unsecured* for a breach to have occurred. Also, the disclosure must have posed a significant risk of financial, reputational, or other harm to the individual. 

Determining whether or not a breach has occurred  entails performing a risk assessment that considers a number of factors. First, the covered entity should consider who impermissibly used or to whom the information was impermissibly disclosed when evaluating the risk of harm to individuals. If the disclosure is to another entity covered by HIPAA, such as the health insurance provider, there may be less risk of harm to the individual, as the recipient is obligated by the HIPAA rules. The reverse is also true, so if the disclosure is to a non-covered entity, the risk is greater. Second, if immediate steps are taken to mitigate the disclosure, such as assurances from the recipient that the information will be destroyed and not further disclosed, then HHS would interpret that the security/privacy of the data has not been compromised and there is no breach.  Also, if the lost data is returned (i.e. a laptop) and an investigation shows records were not accessed, then there has been no breach.  Third, in conducting a risk assessment, the amount and type of data disclosed should be reviewed. If the only disclosure was the name of an individual and the fact that he/she received services from a hospital, there would be a Privacy Rule violation, but the disclosure may not constitute a significant risk of financial or reputational harm. However, if the type of services received is disclosed, then there is a higher likelihood a breach has occurred.

If a limited data set is disclosed (see definitions below) it is still considered a possible breach, unless the date of birth and zip code is also removed.  This is a very narrow exception.  Permissible research activity, as allowed under the Privacy Rule, would not constitute a breach. 

See the Seyfarth Shaw article dated 8/26/09 and titled HIPAA Breach Notification Interim Final Rule which notes that sanctions will not be imposed until Feb. 22, 2010 for failure to comply.

 

 

HITECH Act: New Law Requires Significant Investment in Health Information Privacy and Security: NACUANOTES July 17, 2009 by Barbara Bennett and Alexander Dreier, Hogan and Hartson

 

Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to Student Health Records Issued November 2008.  The guidance addresses the interplay between FERPA and the HIPAA Privacy Rule at elementary and secondary levels, as well as at the postsecondary level and addresses many of the questions raised by school officials, health care professionals, and others regarding the applicability of these two laws to records maintained on students.  It also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.

 

 

 



Last Revised 09-Nov-09 12:43 PM.