HIPAA covered entities that suffered "small" data
breaches in calendar year 2016 have until March 1, 2017 to report
the breach to the U.S. Department of Health and Human Services'
(HHS) Office for Civil Rights (OCR).
HIPAA requires a covered entity, upon discovery of a breach of
unsecured protected health information (PHI), to notify each
affected individual "without unreasonable delay" and, in
any event, within 60 days after the breach was discovered. For a
breach affecting 500 or more individuals, the covered entity must
also notify OCR within the same time period. "Small"
breaches – those that involve fewer than 500 people –
must be reported to OCR no later than 60 days after the calendar
year in which the breach was discovered. For non-leap years, that
deadline is March 1.
Business associates that experience their own data breaches are
required to report the breach to the covered entity "without
unreasonable delay" and no later than 60 days from the
discovery of the breach, although the Business Associate Agreement
between the parties may require a shorter timeframe. Some covered
entities, however, ask their business associates to handle the
required reporting to the affected individuals and/or OCR.
OCR maintains an online portal where each small breach that occurred
during the year must be reported separately. More information about
the Breach Notification Rule and reporting requirements may be
found on the HHS website.
For more articles and regular updates on legislative
changes, regulatory developments and other news of interest to
businesses, professionals and investors in the healthcare industry,
please subscribe to Day Pitney's mailing
Remember how Medtronic, Inc. v. Lohr, 518 U.S. 470 (1996), dismissed the §510k "substantially equivalence" medical device clearance as non-preemptive because it was supposedly "focused on equivalence, not safety"? Id. at 493.
The US Food and Drug Administration (FDA) related portions of the 21st Century Cares Act, found in title III, establish a streamlined process for the exemption of certain Class I and II devices from the premarket notification requirement and allow for the establishment of revised regulatory standards for accessories to high-risk devices.
Hospitals are commonly named as defendants in medical malpractice lawsuits for claims arising from alleged injuries within their walls, but what is their exposure to liability for claims that arise from alleged sexual assaults by staff on their premises?
Eric Fader was quoted in a November 9 article, "Incoming Trump Administration May Mean Less Funding for HIPAA Audits," in Bloomberg BNA's Health Care Fraud Report. Eric said that the incoming Trump administration may eventually be forced to reduce funding for some healthcare initiatives to pay for other priorities, such as large tax cuts and increased spending on the military.
Title III of the 21st Century Cures Act includes portions of the FDA Device Accountability Act of 2015, Promoting Biomedical Research and Public Health for Patients Act, and FDA and NIH Workforce Authorities Modernization Act.
A February 2 article in Bloomberg BNA's Privacy Law Watch and other publications, "Hospital Hit With $3.2M Penalty for Ongoing Health Data Security Lapses," reported that Children's Medical Center of Dallas received a $3.2 million civil money penalty after years of noncompliance with HIPAA rules and after failing to request a hearing on the penalty.
The 21st Century Cures Act includes portions of the Helping Families in Mental Health Crisis Reform Act of 2016, which was approved by the US House of Representatives in July 2016, but not advanced by the Senate.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).