HealthLeaders reports that the Office of Civil Rights (OCR) is seeking an additional $5.6 million in its Fiscal Year 2012 budget proposal to fund its HIPAA compliance and enforcement activities.
The article also details the most current reported numbers on breaches reported to OCR. As of March 16 there have been 249 entities that have reported breaches affecting 500 or more individuals. To view the current data and details on reported breaches go to the OCR Breaches Affecting 500 or More Individuals.
Showing posts with label data breach. Show all posts
Showing posts with label data breach. Show all posts
Thursday, March 17, 2011
Monday, October 05, 2009
Congressional Members Concerned About HHS Inclusion of "Harm Standard" In Breach Notification Rule
Members of the U.S. House of Representative submitted an October 1, 2009 letter of concern to Secretary Sebelius and the Department of Health and Human Services (HHS) concerning inclusion of a "harm standard" in the recently released(August 24, 2009) Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740.
HHS in developing the Interim Final Rule interpreted the term "compromises" as meaning that a threshold substantial harm standard should be included when determining whether a breach of data has occurred. However, the Members indicate in their letter that they considered whether a "harm standard" should be a part of the legislation and decided not to include such a standard. The letter urges HHS to revise and repeal the harm standard provisions included in the Interim Final Rule.
The letter was submitted by Rep. Henry Waxman, Rep. Charles Rangel, Rep. John Dingell, Rep. Frank Pallone, Jr., Rep. Pete Stark and Rep. Joe Barton.
Tip to Alan Goldberg, health care attorney and American Health Lawyer Association HIT Listserve Moderator, who posted a copy of the letter.
HHS in developing the Interim Final Rule interpreted the term "compromises" as meaning that a threshold substantial harm standard should be included when determining whether a breach of data has occurred. However, the Members indicate in their letter that they considered whether a "harm standard" should be a part of the legislation and decided not to include such a standard. The letter urges HHS to revise and repeal the harm standard provisions included in the Interim Final Rule.
The letter was submitted by Rep. Henry Waxman, Rep. Charles Rangel, Rep. John Dingell, Rep. Frank Pallone, Jr., Rep. Pete Stark and Rep. Joe Barton.
Tip to Alan Goldberg, health care attorney and American Health Lawyer Association HIT Listserve Moderator, who posted a copy of the letter.
ARRA - HITECH: Health Care Information Breach Notification Regulations Now In Effect
Have you had a health data security breach? Do you know what a health data breach is? Are you required to notify individuals impacted by the breach? Do you have to notify federal agencies of such breach?
Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.
The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.
The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.
OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.
Below are links to the full regulation text:
Today the OCR/HHS issued a statement that the OCR Interim Final Rule listed above and published on August 24, 2010, is being withdrawn from the Office of Management and Budget (OMB). The full notice published on the OCR website states:
Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.
The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.
The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.
OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.
Below are links to the full regulation text:
- OCR Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740 (Aug 24, 2009).
- OCR Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information 74 Fed. Reg. 19006 (April 27, 2009).
- Federal Trade Commission: Health Breach Notification Rule: Final Rule -- Issued Pursuant to the American Recovery and Reinvestment Act of 2009 -- Requiring Vendors of Personal Health Records and Related Entities To Notify Consumers When the Security of Their Individually Identifiable Health Information Has Been Breached (16 CFR Part 318) 74 Fed. Reg. 42962 (Aug 25, 2009). The FTC has also issued a Breach Notification Form.
Today the OCR/HHS issued a statement that the OCR Interim Final Rule listed above and published on August 24, 2010, is being withdrawn from the Office of Management and Budget (OMB). The full notice published on the OCR website states:
Breach Notification Final Rule Update
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
Thursday, May 07, 2009
Virginia Department of Health Professions Issues Statement on Potential Breach of Security for Prescription Monitoring Program
Virginia Department of Health Professions has issued a News Release regarding the potential breach of security for the Prescription Monitoring Program. The statement also indicates that there is an ongoing criminal investigation into the breach which occurred on April 30.
Also, the Virginia Department of Health Professions has issued a related Questions and Answers document.
I have been following the story the last couple of days and provide some analysis of the potential breach in this previous blog post.
UPDATE (5/13/09): iHealthBeat provides a good news update on the status of the data breach and investigation.The article references articles from the Richmond Times-Dispatch, "Inquiry continues into hacking of state computers," and "FBI expects Va. Hacker probel to take two more weeks."
Also, the Virginia Department of Health Professions has issued a related Questions and Answers document.
I have been following the story the last couple of days and provide some analysis of the potential breach in this previous blog post.
UPDATE (5/13/09): iHealthBeat provides a good news update on the status of the data breach and investigation.The article references articles from the Richmond Times-Dispatch, "Inquiry continues into hacking of state computers," and "FBI expects Va. Hacker probel to take two more weeks."
Tuesday, May 05, 2009
Virginia Department of Health Professions Breach: Extortion Demand Regarding 8M Patient Records and 35M Prescriptions
Information Week is covering a story involving an extortion letter sent last week to the Virginia Department of Health Professions seeking $10M to return more than 8M patient records and 35M prescriptions allegedly stolen from the Virginia Department of Health Professions.
The extortion demand was posted on WikiLeaks. The WikiLeaks website states:
May 3, 2009
Summary
The Virginia Department of Health Professions website indicates that they are "currently experiencing technical difficulties which affet computerand email systems."
Sandra Whitely Ryals, Director of Virginia Department of Health Professionals, responded to the inquiry by Information Week stating that "a criminal investigation is under way by federal and state authorities."
The Washington Post Security Fix blog is also covering this story. Follow more news on this story via Google News.
UPDATE (5/5/09): At the bottom of his follow up post, John Chilmark asks the question: "Now the question is, under HIPAA, does the VDHP have to send out breach notifications to all consumers whose records have been compromised?
Here is my quick assessment. The HIPAA privacy rule (pre-ARRA HITECH) does not contain provisions that require a covered entity to notify individuals impacted by an alleged breach. However, when I have assisted clients with these types of data breach situations in the past I typically discuss with the client whether it is good practice to provide notification. The HIPAA privacy rule provisions do contain a requirement that a covered entity should mitigate potential harm to patients/individuals when there is a violation of the privacy rule. My interpretation is that this might, under certain circumstances, include providing notice to such individuals whose data has been compromised. Also, a question that factors into the equation is whether or not the Virginia Department of Health Professsions qualifies as either a covered entity or business associate under the HIPAA privacy rule. Handling these situations are very fact specific and depend upon a number of factors.
The new federal breach notification requirements contained in the HITECH section of the American Recovery and Reinvestment Act (ARRA) do not apply because the provisions do not go into effect until 30 days after the Department of Health and Human Services (HHS) publishes the interim final data breach notification regulations which has not yet occurred. The new federal breach notification law will be implemented in conjunction with the Federal Trade Commission's (FTC) proposed health breach notification rule that will apply to PHRs, PHR related vendors and other third party providers. The proposed rule is currently out for comment.
The regulations are currently in the works and HHS has now issued initial guidance on what data is classified as unsecured protected health information (not secured by technology that renders it "unusable, unreadable or indecipherable"). See the April 27, 2009 guidance for more on what this means. The guidance outlines the types of technologies that, if used, create a safe harbor for HIPAA privacy covered entities adn business associates to avoid having to provide notice in a situation where there has been a breach.
Also, the VDHP will likely have to assess the Virginia Data Breach Act (state-by-state survey of state breach laws by the National Conference of State Legislatures) to see whether notification or other action is required under state law.Over 40 states now have distinct state laws governing breach notification that extend to and cover everything from traditional personal information (name, social security number, etc.) to health related information. I've not dealt nor reviewed the Virginia Act but suspect a strong likelihood that notification will be required.
UPDATE (5/6/09): The Roanoke Times provides an update on the status of the pending investigation with comments from Governor Tim Kaine. The article states:
The extortion demand was posted on WikiLeaks. The WikiLeaks website states:
May 3, 2009
Summary
On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand:
The linked file provides the full ransom message.
The PMP is used by pharmacists and others to discover prescription drug abuse.
The PMP declined to comment, although when contacted, appeared to be aware of the issue, instantly referring inquiries to the director of the DHP, who is presently unavailable.
- "I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The linked file provides the full ransom message.
The PMP is used by pharmacists and others to discover prescription drug abuse.
The PMP declined to comment, although when contacted, appeared to be aware of the issue, instantly referring inquiries to the director of the DHP, who is presently unavailable.
The Virginia Department of Health Professions website indicates that they are "currently experiencing technical difficulties which affet computerand email systems."
Sandra Whitely Ryals, Director of Virginia Department of Health Professionals, responded to the inquiry by Information Week stating that "a criminal investigation is under way by federal and state authorities."
The Washington Post Security Fix blog is also covering this story. Follow more news on this story via Google News.
UPDATE (5/5/09): At the bottom of his follow up post, John Chilmark asks the question: "Now the question is, under HIPAA, does the VDHP have to send out breach notifications to all consumers whose records have been compromised?
Here is my quick assessment. The HIPAA privacy rule (pre-ARRA HITECH) does not contain provisions that require a covered entity to notify individuals impacted by an alleged breach. However, when I have assisted clients with these types of data breach situations in the past I typically discuss with the client whether it is good practice to provide notification. The HIPAA privacy rule provisions do contain a requirement that a covered entity should mitigate potential harm to patients/individuals when there is a violation of the privacy rule. My interpretation is that this might, under certain circumstances, include providing notice to such individuals whose data has been compromised. Also, a question that factors into the equation is whether or not the Virginia Department of Health Professsions qualifies as either a covered entity or business associate under the HIPAA privacy rule. Handling these situations are very fact specific and depend upon a number of factors.
The new federal breach notification requirements contained in the HITECH section of the American Recovery and Reinvestment Act (ARRA) do not apply because the provisions do not go into effect until 30 days after the Department of Health and Human Services (HHS) publishes the interim final data breach notification regulations which has not yet occurred. The new federal breach notification law will be implemented in conjunction with the Federal Trade Commission's (FTC) proposed health breach notification rule that will apply to PHRs, PHR related vendors and other third party providers. The proposed rule is currently out for comment.
The regulations are currently in the works and HHS has now issued initial guidance on what data is classified as unsecured protected health information (not secured by technology that renders it "unusable, unreadable or indecipherable"). See the April 27, 2009 guidance for more on what this means. The guidance outlines the types of technologies that, if used, create a safe harbor for HIPAA privacy covered entities adn business associates to avoid having to provide notice in a situation where there has been a breach.
Also, the VDHP will likely have to assess the Virginia Data Breach Act (state-by-state survey of state breach laws by the National Conference of State Legislatures) to see whether notification or other action is required under state law.Over 40 states now have distinct state laws governing breach notification that extend to and cover everything from traditional personal information (name, social security number, etc.) to health related information. I've not dealt nor reviewed the Virginia Act but suspect a strong likelihood that notification will be required.
UPDATE (5/6/09): The Roanoke Times provides an update on the status of the pending investigation with comments from Governor Tim Kaine. The article states:
Gov. Tim Kaine said today that a hacker’s reported access to patient prescription records from a state database was “an intentional criminal act against the commonwealth by somebody who was trying to harm others” . . .The article also indicates that Virginia law requires notification of individuals whose personal information may have been accessed due to a computer security breach. The law states that notification must be provided “without unreasonable delay.”
The FBI and the Virginia State Police are investigating the matter. Kaine said he could not discuss the probe.
“Right now our goal is to make sure that the investigation and criminal process works so that the person who is responsible is caught and prosecuted . . . and that we protect people whose data has been compromised,” Kaine said this morning.
The article also indicates that under Virginia law notification is required and that Virginia's breach notification law requires, like many state laws, that notice must be provided "without unreasonable delay."
Sunday, April 19, 2009
HITECH Act Breach Notification Guidance: What Renders PHI Unusable, Unreadable or Indecipherable For Purposes of Breach Notification?
On April 17, 2009, the U.S. Department of Health & Human Services (HHS) issued guidance on the technology requirements to render protected health information (PHI) "unusable, unreadable or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) which is a part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The April 27, 2009 Federal Register (74 FR 19006),contains the official copy of the regulation, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
The guidance is effective as of April 17, 2009. However, the guidance will apply to breaches 30 days after publication of the interim final regulations.
HHS's press release on the guidance states:
The April 27, 2009 Federal Register (74 FR 19006),contains the official copy of the regulation, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
The guidance is effective as of April 17, 2009. However, the guidance will apply to breaches 30 days after publication of the interim final regulations.
HHS's press release on the guidance states:
The guidance issued today provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to “breach notification” regulations, which will be issued by HHS and the Federal Trade Commission respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.The guidance also seeks public comments on the guidance as well as the breach notification provisions under FTC's new Health Breach Notification Rule and the yet to be releases HHS Breach Notification Requirements for HIPAA Covered Entities and Business Associates. Public comments must be submitted on or before May 21, 2009.
The guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare &Medicaid Services (CMS).
Friday, April 17, 2009
FTC Proposed Health Breach Notification Rule for PHRs and Electronic Health Information
Yesterday, April 16, 2009, the Federal Trade Commission released its proposed Health Breach Notification Rule for Vendors of Personal Health Records (PHRs) and Electronic Health Information.
The official title of the proposed rule is: 16. C.F.R. Part 318: Notice of Proposed Rulemaking and Request for Public Comments Concerning Proposed Health Breach Notification Rule, Pursuant to the American Recovery and Reinvestment Act of 2009.
The FTC is seeking written comments electronically or in paper form. The comments must be submitted by June 1, 2009 and will be placed on the public record and made accessible at the FTC website at: http://www.ftc.gov/os/publiccomments.shtm.
The FTC's press release states:
The official title of the proposed rule is: 16. C.F.R. Part 318: Notice of Proposed Rulemaking and Request for Public Comments Concerning Proposed Health Breach Notification Rule, Pursuant to the American Recovery and Reinvestment Act of 2009.
The FTC is seeking written comments electronically or in paper form. The comments must be submitted by June 1, 2009 and will be placed on the public record and made accessible at the FTC website at: http://www.ftc.gov/os/publiccomments.shtm.
The FTC's press release states:
The Federal Trade Commission today announced that it has approved a Federal Register notice seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached.More information over at info.rmatics blog who appear to have done a quick summary of the proposed rule. I have only had a chance to quickly scan the proposed rule but will add addition comments once I have a chance to read the entire proposed regulations. Comments and thoughts of others are welcomed - please post your comments.
The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. Among other things, the Recovery Act recognizes that there are new types of Web-based entities that collect or handle consumers’ sensitive health information. Some of these entities offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information. Others provide online applications through which consumers can track and manage different kinds of information in their personal health records. For example, consumers can connect a device such as a pedometer to their computers and upload miles traveled, heart rate, and other data into their personal health records. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained.
To address these issues, the Recovery Act requires the Department of Health and Human Services to conduct a study and report, in consultation with the FTC, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. This study and report must be completed by February 2010. In the interim, the Act requires the Commission to issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached. The proposed rule the Commission is announcing today is the first step in implementing this requirement.
In keeping with the Recovery Act, the proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.
Friday, November 07, 2008
Potential Data Breach and Extortion at Express Scripts
The WSJ Health Blogs reports about a potential data breach at Express Scripts, one of the largest pharmacy benefit management companies in North America. More from Express Scripts on the Facts, FAQs and Other Resources.
The potential data breach came to Express Scripts attention after having received an anonymous letter attempting to extort money from the company by threatening the expose millions of patient records. The threat letter included personal information on 75 members, including names, dates of birth, social security numbers and prescription information.
The article also mentions a similar extortion related data breach which occurred in March 2006 and involved Medical Excess LLC, a subsidiary of AIG. In that case the FBI investigated and arrested an individual who stole a computer server containing personal health information of more than 900,000 individuals. The individual tried to extort AIG for $208,000 after threatening to release the information on the Internet.
According to the FBI Press Release, the individual involved was the first person to be charged under the new federal criminal statute, Title 18 U.S.C. 1030(a)(7)(B) and (C). The new federal criminal statute makes it a federal crime to commit extortion relating to unauthorized access of, or damage to, a protected computer system and/or to impair the confidentiality of information obtained from a protected computer.
To learn more read Express Scripts' press release and related support site.
The potential data breach came to Express Scripts attention after having received an anonymous letter attempting to extort money from the company by threatening the expose millions of patient records. The threat letter included personal information on 75 members, including names, dates of birth, social security numbers and prescription information.
The article also mentions a similar extortion related data breach which occurred in March 2006 and involved Medical Excess LLC, a subsidiary of AIG. In that case the FBI investigated and arrested an individual who stole a computer server containing personal health information of more than 900,000 individuals. The individual tried to extort AIG for $208,000 after threatening to release the information on the Internet.
According to the FBI Press Release, the individual involved was the first person to be charged under the new federal criminal statute, Title 18 U.S.C. 1030(a)(7)(B) and (C). The new federal criminal statute makes it a federal crime to commit extortion relating to unauthorized access of, or damage to, a protected computer system and/or to impair the confidentiality of information obtained from a protected computer.
To learn more read Express Scripts' press release and related support site.
Wednesday, September 10, 2008
California Proposes New Privacy Breach Protections: Will Other States Follow The Trend?
Last month The LA Times reported on a new law (AB 211 and SB 541) moving through the California Legislature to increase protections around confidential medical and health information and create a new state Office of Health Information Integrity to oversee compliance, investigate breaches and assess fines.
The article cites the high profile celebrity snooping cases into the records of Britney Spears, Farrah Fawcett and California First Lady Maria Shriver as recent examples highlighting the need for more protection. Governor Schwarzenegger has a personal interest in signing this bill if it gets through the legislature. The Health Law Prof Blog provides some additional insight and information on the bills.
As is often the case California is a leader in new legislative initiatives and I suspect we will see other states following the lead this coming legislative session looking at implementing or revising current breach notification and privacy of health information laws.
For more information on the bills check out the following additional information.
AB 211 (August 22, 2008 amendment) currently appears to be in the final stages of being passed by the California State Assembly. The bill creates a new Office of Health Information Integrity and gives the office powers to levy administrative fines and penalties. The bill also authorize the office to forward on the potential violation to the appropriate licensure bodies.
Following is the Legislative Counsel's Digest summary version of AB 211 (amended August 22, 2008):
SB 541 passed the Senate on August 29, 2008 and is now in enrolled status. The bill creates specific penalties for the unlawful or unauthorized access to patient medical information and sets the fines at $25,000 per patient with a $250,000 cap per reorted event. It also sets a per day fine for failing to notify patients impacted by a breach after 5 days.
Following is the Legislative Counsel's Digest summary version of SB 541:
The article cites the high profile celebrity snooping cases into the records of Britney Spears, Farrah Fawcett and California First Lady Maria Shriver as recent examples highlighting the need for more protection. Governor Schwarzenegger has a personal interest in signing this bill if it gets through the legislature. The Health Law Prof Blog provides some additional insight and information on the bills.
As is often the case California is a leader in new legislative initiatives and I suspect we will see other states following the lead this coming legislative session looking at implementing or revising current breach notification and privacy of health information laws.
For more information on the bills check out the following additional information.
AB 211 (August 22, 2008 amendment) currently appears to be in the final stages of being passed by the California State Assembly. The bill creates a new Office of Health Information Integrity and gives the office powers to levy administrative fines and penalties. The bill also authorize the office to forward on the potential violation to the appropriate licensure bodies.
Following is the Legislative Counsel's Digest summary version of AB 211 (amended August 22, 2008):
AB 211, as amended, Jones. Public health.
Existing law permits the establishment of the position of county
health officer for the performance of various duties and powers
relating to public health.
This bill would authorize the local health officer to provide
assistance to cities and counties with regard to public health issues
as they relate to local land use planning and transportation
planning processes.
Existing law prohibits a health care provider, health care service
plan, or contractor from disclosing medical information regarding a
patient of the provider or an enrollee or subscriber of the health
care service plan without authorization, except as specified.
Existing law makes it a misdemeanor to violate these provisions
resulting in economic loss or personal injury to a patient, as
specified. In addition, existing law authorizes administrative fines
and civil penalties against any person or entity that negligently
discloses, or knowingly and willfully obtains, discloses, or uses
medical information in violation of these provisions, as specified.
Existing law specifies the entities that may bring a civil action to
recover civil penalties.
This bill would require every provider of health care ,
as defined, toprevent the unlawful access, use, orimplement appropriate specified safeguards
disclosure
to protect the privacy of a patient's medical information. The
bill would require every provider of health care tomonitorreasonably safeguard
employees who have access to patient medical information, as
specified, to ensure compliance. The bill would also require a
provider to establish and maintain appropriate safeguards and
policies to ensure the confidentiality and security of medical
information, as specified
confidential medical information from unauthorized or unlawful
access, use, or disclosure . The bill would establish within
the California Health and Human Services Agency the Office of Health
Information Integrity to assess and impose administrative fines for a
violation of these provisions, as provided. The director would be
appointed by the Secretary of California Health and Human Services.
The bill would establish the Internal Health Information Integrity
Quality Improvement Account for the deposit of funds derived from
these penalties. Upon appropriation by the Legislature, the bill
would authorize money in the account to be used to support quality
improvement activities. The bill would also authorize the director tomakesend a recommendationtofor
the licensing authority of a health care provider
further investigation of, or disciplineoffor, a potential
the licensee, as specified, and to recommend that a civil action to
collect penalties be commenced
violation to the licensee's relevant licensing authority .
This bill would provide that any costs created pursuant to this
act associated with the implementation and operation of the Office of
Health Information Integrity shall be funded through non-General
Fund sources.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
SB 541 passed the Senate on August 29, 2008 and is now in enrolled status. The bill creates specific penalties for the unlawful or unauthorized access to patient medical information and sets the fines at $25,000 per patient with a $250,000 cap per reorted event. It also sets a per day fine for failing to notify patients impacted by a breach after 5 days.
Following is the Legislative Counsel's Digest summary version of SB 541:
SB 541, Alquist. Clinics, health facilities, home health agencies,
and hospices: administrative penalties and patient information.
Existing law provides for the licensure and regulation of clinics,
health facilities, home health agencies, and hospices by the State
Department of Public Health. A violation of these provisions is a
misdemeanor.
Existing law authorizes the department to assess a licensee of a
general acute care hospital, an acute psychiatric hospital, or a
special hospital an administrative penalty not to exceed $25,000 if
the licensee receives a notice of deficiency constituting an
immediate jeopardy to the health or safety of a patient and is
required to submit a plan of correction. Existing law makes these
provisions applicable to incidents occurring on or after January 1,
2007.
This bill would increase this administrative penalty to be up to
$100,000 for incidents occurring on and after January 1, 2009. This
bill would set the administrative penalties, for incidents on and
after January 1, 2009, at up to $50,000 for the first administrative
penalty, up to $75,000 for the 2nd subsequent administrative penalty,
and up to $100,000 for the 3rd and every subsequent violation.
Existing law also provides that, upon the adoption of specified
regulations, the administrative penalty for an immediate jeopardy
violation may be up to $50,000. If the violation does not constitute
an immediate jeopardy violation, the penalty may be up to $17,500,
except that no penalty shall be assessed for a minor violation.
Under existing law, moneys collected by the department as a result
of the imposition of the above penalties are required to be
deposited into the Licensing and Certification Program Fund, to be
expended, upon appropriation by the Legislature, to support internal
departmental quality improvement activities.
This bill would increase the administrative penalties for an
immediate jeopardy deficiency from $50,000 to a graduated scale of a
maximum of $75,000 for a first penalty, a maximum of $100,000 for the
2nd penalty, and a maximum of $125,000 for the 3rd and subsequent
penalties, and would increase the penalty for deficiencies not
causing immediate jeopardy from $17,500 to $25,000. The bill would
apply the penalty provisions only to incidents occurring on or after
January 1, 2009.
The bill would specify that, for any of the above administrative
penalties, a penalty issued after 3 years from the date of the last
issued immediate jeopardy violation be considered a first
administrative penalty so long as the facility has not received
additional immediate jeopardy violations and is found by the
department to be in substantial compliance with all state and federal
licensing laws and regulations. The bill would give the department
full discretion to consider all factors when determining the amount
of an administrative penalty.
This bill would require health facilities, clinics, hospices, and
home health agencies to prevent unlawful or unauthorized access to,
or use or disclosure of, a patient's medical information, as defined.
The bill would authorize the department to assess an administrative
penalty of up to $25,000 per patient for a violation of these
provisions, and up to $17,500 for each subsequent accessing, use, or
disclosure of that information.
The bill would require all of the administrative penalties to be
deposited into the Internal Departmental Quality Improvement Account,
which would be created within the existing Special Deposit Fund, and
would delete the requirement that certain of the penalties be
deposited into the Licensing and Certification Program Fund. The bill
would require moneys in the account to be used for internal quality
improvement activities in the Licensing and Certification Program.
This bill would impose specified reporting requirements on a
health facility or agency with respect to unlawful or unauthorized
access to, or use or disclosure of, a patient's medical information,
and would authorize the department to assess a penalty for the
failure to report, in the amount of $100 for each day that the
unlawful or unauthorized access, use, or disclosure is not reported,
up to a maximum of $250,000. The bill would authorize a licensee to
dispute a determination of the department regarding a failure to make
a report required by the bill, as provided.
By expanding the definition of an existing crime, this bill would
impose a state-mandated local program.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that, if the Commission on State Mandates
determines that the bill contains costs mandated by the state,
reimbursement for those costs shall be made pursuant to these
statutory provisions.
Thursday, January 17, 2008
Advocating The Need For A Federal Data Breach Disclosure Law
Information Week's Security Blog advocates for a federal data breach disclosure law in this post, The Time Is Now (Better Yet, Yesterday) For A Federal Data Breach Disclosure Law.
Thanks to the HIPAA Blog for point out the article. I agree with Jeff Drummond's conclusion. After having analyzed overlapping and different state disclosure requirements as a part of assisting clients with data breach issue a federal approach is the direction we should go. (caveat: it should require total preemption - not partial preemption like HIPAA privacy).
A federal approach would help set a national industry standard that can be clearly understood, implemented and followed by those who regularly deal in data, health care or otherwise. The state-by-state patchwork of different laws that currently exist create a complexity that is not needed.
For more on the ongoing complexity issue check out California's recently revised law (AB1298) that recently took effect. AB1298 effective January 1, 2008, expands the coverage and protections to medical information and health insurance information under California's State Information Practices Act.
A clear and concise national approach would simplify compliance for those required to maintain and protect data, including health care providers maintaining health information. Customers and patients who expect their data to be maintained would also benefit by a simplified approach and uniform law that provides for a consistent level of breach notification and protection.
For more on state security breach notification legislation/laws check out the National Conference of State Legislatures website page "Breach of Information". Last updated in April 2007, it states "thirty-five states have enacted legislation requiring companies and/or state agencies to disclosure security breaches involving personal information." I suspect this number will increase after the 2008 legislative sessions around the country.
Also, NCSL provides a summary of data breach notification legislation introduced by year. For 2007, they list three bills introduced (but not passed) before the West Virginia Legislature:
WEST VIRGINIA
As a result of high profile cases like this one that occurred in West Virginia, we will again see activity this year in West Virginia.
Thanks to the HIPAA Blog for point out the article. I agree with Jeff Drummond's conclusion. After having analyzed overlapping and different state disclosure requirements as a part of assisting clients with data breach issue a federal approach is the direction we should go. (caveat: it should require total preemption - not partial preemption like HIPAA privacy).
A federal approach would help set a national industry standard that can be clearly understood, implemented and followed by those who regularly deal in data, health care or otherwise. The state-by-state patchwork of different laws that currently exist create a complexity that is not needed.
For more on the ongoing complexity issue check out California's recently revised law (AB1298) that recently took effect. AB1298 effective January 1, 2008, expands the coverage and protections to medical information and health insurance information under California's State Information Practices Act.
A clear and concise national approach would simplify compliance for those required to maintain and protect data, including health care providers maintaining health information. Customers and patients who expect their data to be maintained would also benefit by a simplified approach and uniform law that provides for a consistent level of breach notification and protection.
For more on state security breach notification legislation/laws check out the National Conference of State Legislatures website page "Breach of Information". Last updated in April 2007, it states "thirty-five states have enacted legislation requiring companies and/or state agencies to disclosure security breaches involving personal information." I suspect this number will increase after the 2008 legislative sessions around the country.
Also, NCSL provides a summary of data breach notification legislation introduced by year. For 2007, they list three bills introduced (but not passed) before the West Virginia Legislature:
WEST VIRGINIA
| WV H 2175 |
| ||||||||||||||||
| WV H 2263 |
| ||||||||||||||||
| WV H 2705 |
|
As a result of high profile cases like this one that occurred in West Virginia, we will again see activity this year in West Virginia.
Monday, October 22, 2007
Data Missing on 200,000 West Virginia PEIA Members
WSAZ News, the State Journal and Charleston Gazette are reporting that data on approximately 200,000 past and current members of West Virginia Public Employees Insurance Agency (PEIA) is missing. According to the articles, the data was contained on a computer tape being mailed to a data analyst in Pennsylvania and was reported missing on October 18.
The data tape included names and maiden names, addresses, social security numbers, telephone numbers, and marital status of program participants and their covered dependents. The article indicates that the data tape did not contain medical or prescription claims information.
According to the article, letters will be mailed to impacted members and a hotline will be set up to answer questions about the lost data.
UPDATE: For more information check out the PEIA Data Loss Press Release and the Letter to Affected Policyholders about PEIA's Recent Data Loss.
The data tape included names and maiden names, addresses, social security numbers, telephone numbers, and marital status of program participants and their covered dependents. The article indicates that the data tape did not contain medical or prescription claims information.
According to the article, letters will be mailed to impacted members and a hotline will be set up to answer questions about the lost data.
UPDATE: For more information check out the PEIA Data Loss Press Release and the Letter to Affected Policyholders about PEIA's Recent Data Loss.
Subscribe to:
Posts (Atom)