Phone 208.344.6000 Email info@hawleytroxell.com
     

Home > News > Privacy Breach Notification Rules: OCR to Begin Imposing Penalties for Failure to Comply

Privacy Breach Notification Rules: OCR to Begin Imposing Penalties for Failure to Comply

Added by Stacey Taylor in News on February 1, 2010

Grace Period Has Expired. As explained in our prior updates, the new HIPAA breach notification regulations require covered entities to notify patients, HHS, and in some cases local media if there is a breach of unsecured protected health information. (45 C.F.R. ยง 164.400 et seq.) Although the regulations became effective last September, HHS declared that it would not impose penalties for failure to comply with the breach notification rules if the breach was discovered before February 22, 2010. (74 FR 42757) The 6-month grace period has now expired; accordingly, the failure to comply with the new breach notification rules may now expose the covered entity and business associate to dramatically increased penalties imposed by the HITECH Act.

Only Required to Report Certain Breaches. The good news is that the regulations only require covered entities and business associates to report a “breach” if: (1) there is improper access or disclosure of protected health information that violates the HIPAA privacy rules; (2) the breach poses a significant risk of financial, reputational or other harm to the individual; and (3) the breach does not fit within one of several exceptions. Given the potential liability for breaches, covered entities and business associates should take appropriate steps to ensure they understand and comply with the new regulations as well as the old HIPAA privacy and security requirements.

No New Regulations. On an unrelated note, HHS failed to issue anticipated regulations implementing other HITECH Act provisions by the February 18, 2010 deadline, including regulations governing business associates, business associate agreements, and certain patient rights. OCR officials have reportedly stated that HHS will postpone enforcement of certain HITECH Act provisions that were set to take effect on February 18, 2010 until the new regulations have been issued; however, we have not received official word confirming the same. Stay tuned….

If you have questions about these or other legal issues, please contact a member of our Health Law group at info@hawleytroxell.com or 208.344.6000.


Main Office: 877 Main Street, Boise, Idaho 83702    208.344.6000    info@hawleytroxell.com
Email Signup    Careers    Privacy Policy    Terms & Conditions      Copyright ©2012 Hawley Troxell Ennis & Hawley LLP All Rights Reserved.

Disclaimer: The information on Hawley Troxell's website and the information found through the designated links is not intended to be advertising or solicitation, and is not intended to provide legal advice. Use of this website is not a substitute for consultation with legal counsel.

Use of this website, or of the information it contains, does not create an attorney-client relationship between the user and Hawley Troxell. Hawley Troxell does not endorse or promote any linked entities or websites, and provides these links solely as a convenience to the user. Please do not use the e-mail links on this website for the transmission of confidential or sensitive information, as the security of such communications cannot be assured.