Medical record custodians beware—rules promulgated by
the federal Department of Health and Human Services
("HHS") are placing increased focus on, and imposing
increased penalties for, data intrusions and thefts related to
Rules imposed under the 2009 Health Information Technology for
Economic and Civil Health Act ("HITECH Act") require
entities qualifying as "covered entities" under the
Health Insurance Portability and Accountability Act of 1996
("HIPAA"), as amended, to report data breaches to HHS and
to notify those individuals. Failure to notify affected
individuals may result in hefty fines, which can increase
substantially as a result of delays.
In addition, those healthcare entities that have experienced data
breaches affecting 500 or more individuals must notify local media
and are listed publicly on the Office of Civil Rights'
website. The list, which some in the healthcare industry
have dubbed the "Wall of Shame," contains the name of the
covered entity, its location, the number of individuals affected,
the date of breach, the type of breach, and the location of the
The past few years have brought massive reported breaches, such as
the 4.9 million records lost by TRICARE Management Activity (a
Department of Defense health care program) when backup tapes
disappeared, 1.9 million records lost when hard drives disappeared
from HealthNet, and 1.7 electronic medical records stolen from the
New York City Health and Hospitals Corporation's North Bronx
Data breaches are occurring with increasing frequency and take
many forms—from 'old school' physical theft of
hard drives and laptops to 'new' school criminals demanding
ransom from records custodians. Indeed, a recently released
survey by FTI Consulting Inc. and Corporate Board Member states
that data security was the most cited issue of concern for general
Records custodians in the healthcare industry – and in
any industry, for that matter – should establish a plan
to deal with potential intrusion or theft and should consider
obtaining "cyber-theft" insurance or other coverage to
protect against the steep aftereffects that inevitably follow a
data breach. Those who fail to adequately protect themselves
risk facing governmental investigations, criminal and civil
penalties, class action suits, and adverse media coverage.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Whether you are an employer that provides health insurance for your employees, a business in the growing healthcare industry, a hospital, or other medical provider—or you provide services to any of those entities—you need to know about changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Marilyn Tavenner received bipartisan support from members of the Senate Committee on Finance in her confirmation hearing to lead the Centers for Medicare and Medicaid Services (CMS) though a full Senate vote is being held up, the president released his FY 2014 budget proposal with health care reform and specified reimbursement reductions to providers and manufacturers totaling $400 billion over 10 years sprinkled throughout it, and Department of Health and Human Services (HHS) Secretary Sebelius
The Office of Inspector General for the Department of Health and Human Services has recently issued an updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs.
On Tuesday, the North Carolina legislature has enacted into law, pending the governor's signature, a prohibition on the use of most favored nations clauses in contracts between commercial health insurers and providers.