HIPAA HITECH Act and the HIPAA Breach Notification Rule.

Federal law requires health care professionals and businesses to protect identifiable health information through the Health Insurance Portability and Accountability Act (HIPAA). Congress passed HIPAA in 1996 to organize and simplify the law on privacy, security, and electronic transactions of health information. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act to address breach notification procedures and expand HIPAA’s privacy and security reach. G2Z Law Group, PLLC is here to help your organization understand and comply with HITECH and the Breach Notification Rule.

What is the HIPAA HITECH Act?

The HITECH Act expanded HIPAA privacy and security regulations, including the creation of regular, periodic audits of health care entities. It trained state executive agencies on legal actions to enforce HIPAA, and it also standardized the compliance requirements and penalties for covered entities and business associates alike. It expanded the disclosure process and gave more control to patients over the use of the PHI.

What Is Considered a Breach?

The HIPAA Breach Notification Rule requires covered entities to report HIPAA violations and data breaches to the individuals whose information was breached as well as the government agencies responsible for oversight. In addition, the HIPAA Breach Notification Rule requires entities to make breaches public in certain circumstances.

 A breach is “an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.” It occurs when there is significant risk of harm, whether financial or otherwise, to an individual. The elements used to make this determination include:

• The recipient of the information and whether the protected information was actually viewed or used;

• The immediate and long-term steps taken to reduce the impact of the harm;

• The possibility of correcting the breach or returning information; and

• The amount, type and identifies of the information that was disclosed, including the likelihood of reidentification.

What Disclosures Are Required Under the HIPAA Breach Notification Rule?

A breach notification must be provided to the individual within 60 days of the discovery of the breach, and breach reporting must include the following specifics:

• A description of the breach;

• A description of the kind of information disclosed;

• Next steps for affected individuals in order to protect themselves from potential harm;

• A description of the current investigation into the breach, efforts to mitigate the harm, and efforts to prevent additional breaches; and

• Contact information for the entity.

The breach must be made public if there are more than ten affected individuals with insufficient or outdated contact information. The entity must publish the breach in a prominent media outlet within 60 days if more than 500 individuals are involved.

How Can G2Z Law Group, PLLC Help My Health Care Business?

Our firm is prepared to assess your business’s compliance with the HIPAA HITECH Act and the HIPAA Breach Notification Rule. Whether as a preventative measure or as a response to an investigation, our firm knows how to assess, reduce, and control breach notification risks. G2Z Law Group will develop a management plan, implement mitigation procedures, review and revise HITECH policies and procedures, establish evaluation and training materials, and develop best practices regarding the notification of privacy or security breaches.

Our attorneys can also defend you in investigations for breach notification and HITECH Act violations before State agencies, such as the State Health Professional Boards or in Federal investigations, such as before the Office of Civil Rights.