MedLaw.com :: FINAL INTERIM RULES ISSUED ON HIPAA DATA BREACH NOTIFICATION

EMTALA Resources
- EMTALA STATUTE
- EMTALA REGULATIONS
- EMTALA SITE REVIEW GUIDELINES
- EMTALA SIGN REQUIREMENTS
- EMTALA EDUCATIONAL RESOURCES
- COURT CASES
- SAMPLE FORMS
- OPPS & 250 YARD RULE
- REPORTING VIOLATIONS
- OTHER INFORMATION
- OIG ENFORCEMENT ACTIONS
EMS and Air Medical
- Emergency Medical Services
- Air Medical Services
- Court Cases
- Fire - Rescue - Public Safety
Emergency Preparedness
- Homeland Security Special Alerts
- Bio-Terrorism Issues
- HazMat Issues
- Emergency Preparedness
Drugs / Pharmacy
- Pharmacy / Drug Liability Issues
- Court Cases
Fraud & Abuse
- Medicare Fraud and Abuse
- Anti-Kickback Statute / STARK Compliance
- Corporate Compliance Policies and Practices
- Court Cases
Hospital Issues
- Emergency Department
- Risk Management
- Conditions of Participation (CoP's)
- Critical Access Hospitals (CAH)
- Credentialing
- Misc. Issues
Medical Malpractice
Medical Records Privacy & Security
- Medical Records
- HIPAA Security Regulations
- HIPAA / State Privacy Regulations
- Enforcement and litigation
CMS / OSHA / CDC
- OSHA Regulation of Healthcare
- CDC Guidelines
- Medical Studies
- CMS Regulations and Guidance
Product Liability
Professional Rights
How We Can Help
News and Updates
MedLaw Links (A-M)
- Allied Health Links
- Anesthesia
- Behavior Health
- Boards and Certifying Groups
- Courts
- Dental
- Disater / Emergency Preparedness
- Emergency Medicine/ EMS
- Government Sites
- Healthcare Economics
- Healthcare Law
- Healthcare Organizations
- HIPAA
- Hospital Organizations
- Infection Control
- Insurance Industry
- Laboratory Issues
- Long Term Care
- Medical Staff
- Drugs and Pharmacy
MedLaw Links -- (N-S)
- Nursing
- Obstetrics
- Oncology
- Public Medical Information Resources
- Pediatrics
- Quality
- Radiology
- Reference / Publications
- Rehabilitation Services
- Risk Management
- Safety
- Surgery
Publisher's Opinions
Contact Us
About Us
Privacy Policy
Terms Of Use

FINAL INTERIM RULES ISSUED ON HIPAA DATA BREACH NOTIFICATION

CMS issues HIPAA "final interim" data breach regulations with September 24 effective date. Enforcement may be delayed to February 2010.

Published Aug 26, 2009

Faced with a congressional mandate for rules, CMS has released "final" "interim" rules that generally parallel the April 17 version.

Among the highlights:

a. The federal rules do not pre-empt the state rules except where joint compliance is impossible;

b. Although the rules give you up to 60 days for disclosure, the CMS comments make it clear that they may not accept a 60-day limit where disclosure could have been reasonably made sooner;

c. Deadline for compliance is September 24, 2009, based on the publication date (inspite of concern Congressional mandate probably required the 17th) although the CMS statement suggests that they have exercised general discretion to delay enforcement until the general February 17, 2010 deadline under the ARRA. Caution: This statement was not sufficiently definite to rule out enforcement in an breach prior to February but after September 24, if CMS feels it is warranted.

d. In order to comply with the actual September deadline, it would be necessary to establish breach notification policies and procedures (if not already in place or compliant with the new rules), modify Business Associate agreements, train personnel, have sanctions in place for Business Associates and employees for breaches, and have mitigation and notification plans ready to use.

e. Breaches covered by this rule involve only UNENCRYPTED protected healthcare information under HIPAA. CMS has ruled in this regulation that ONLY encryption or destruction of data renders the information sufficiently unaccessible or unusable to satisfy legislative standards.

f. Redaction of documents does not render the PHI secure, but de-identification of documents removes the data from the classification of PHI and therefore removes the breach from the disclosure requirements of this regulation, CMS indicated.

g. Both healthcare providers and business associates are subject to new and more aggressive fine enforcement under the ARRA and these regulations.

A Full text PDF of the final interim regulation may be downloaded at www.medlaw.com/breachnotification.pdf

<%homepage%>