| Is
Your Practice Prepared for the New Data Security Laws?
On February 22, 2010, the new Health Information Technology for Economic and
Clinical Health (HITECH) Act breach notification requirements became enforceable.
HITECH makes significant changes to HIPAA security requirements, requiring
notice to individuals whose information is affected by a breach of privacy.
There are four tiers of penalties, the most punitive ending at $50,000 per
violation with a cap of $1.5 million.
Also, on March 1, 2010, the new MA data
security laws went into effect. Massachusetts’ breach
notification law, 201 CMR 17.00, allows for civil penalties of up to $5,000
for each violation and $50,000 for each instance of improper disposal of “personal
information” (PI). PI is a person’s first name and last name (or
first initial and last name) in combination with any one of the following:
1) Social Security number; 2) driver’s license number or other state-issued
identification card number; or 3) a financial account number, or credit or
debit card number, with or without any required security code, access code,
or PIN that would allow account access.
For a medical practice, there are two
overlapping issues — the loss of
both personal information and health information, as most patient data includes
both. A simple loss of an employee’s tote bag containing sensitive patient
information, faxing a patient’s test reports to the wrong number, or
improperly disposing of old charts in an unsecured dumpster could result in
costly ramifications for the practice. A recent article in American Medical
News notes that the greatest risks to healthcare providers in the area of maintaining
patient privacy aren’t offshore hackers or rogue employees, but rather
simple accidents. For physicians, a lost Blackberry, flash drive or laptop
can mean legal fees, an arduous process of notification, damage to the practice's
reputation, and the risk of heavy penalties.
Breach Notification
If a breach of information is discovered the data owner must provide notice
to the MA Attorney General, the Director of the Office of Consumer Affairs
and Business Regulation, and written notice to each affected MA resident. If
the breach affects 500 or more individuals, major media outlets and the HHS
must also be notified. Notification must be provided no later than 60 days
following the discovery of a breach.
Individual Notice
The data owner must provide affected individuals notice in writing by first-class
mail (or by e-mail if the affected individuals have agreed to receive such
notices electronically.) If there is insufficient or out-of-date contact information
for 10 or more individuals, the data owner must post the notice on the home
page of its web site or publish the notice in major print or broadcast media
where the affected individuals likely reside.
Massachusetts’ personal
data breach notification law requires that notifications SHALL NOT include:
1) The nature of the breach
2) The number of residents affected by the breach
3) Any steps the Entity has taken or plans to take relating to the incident
Notifications
SHALL include:
1) Law enforcement entity notified, case number and contact information, if
applicable
2) Information that the consumer has the right to obtain a police report and
the contact information needed to request a report, if applicable
3) Information that the consumer has the right to obtain a credit report from
any of the three credit bureaus
4) Information that the consumer has the right to obtain a credit freeze, information
regarding the costs of a credit freeze, information the consumer would need
to provide and contact information of all three credit bureaus
Media Notice
Data owners that experience a breach affecting more than 500 residents of a
State or jurisdiction are also required to provide notice to the prominent
media outlets of that area. This notification can be provided in the form of
a press release to appropriate media outlets serving the affected area.
Notice
to HHS
Notice must be given to the Secretary of Helath and Human Services for breaches
involving more than 500 individuals. The Secretary will post on an HHS web
site a list that identifies each covered entity involved in a breach in which
the unsecured PHI of more than 500 individuals is acquired or disclosed.
PIAM has developed a new program with very competitive pricing that will
provide coverage for the potential damages that may come from a health data
breach. For more information click here or call
(800) 522-7426.
|
