May 24, 2012

HHS Set to Identify by Name All Private Practices Experiencing a Breach Affecting 500 or More Individuals

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm
Elizabeth H. Johnson
Poyner Spruill LLP
Friday, July 9, 2010
Health Law & Managed Care
All Federal / North Carolina
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

As you know, HIPAA covered entities experiencing a security breach are obligated to notify affected individuals, the Department of Health and Human Services (HHS) and, in some cases, the media. When a breach affects 500 or more individuals, the covered entity must report the incident to HHS within 60 days of discovery. HHS, in turn, provides a brief summary of the event on its website, www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.

To date, HHS has listed private practices anonymously, identifying them only as “Private Practice.” HHS took the position that private practices could not be specifically named on the website because they are identifiable as “individuals” within the meaning of the Privacy Act which would potentially require the practice’s consent prior to listing them by name. Pursuant to the Privacy Act, HHS may designate its publication of breaches, including naming private practices, as a “routine use” of the information such that prior consent is not required for the publication. Accordingly, on April 13, HHS published a Federal Register notice stating its intention to start identifying private practices by name on its breach website, designating such publication as a “routine use” of the information under the Privacy Act. HealthLeaders Media reports that HHS will begin naming private practices both prospectively and retroactively within 40 days of publishing the Federal Register notice, or May 23 at the earliest.

Private practices (and other HIPAA covered entities) should take steps to mitigate the risk of a security breach. Although a breach can occur in a variety of ways, almost half of the breaches reported on the HHS website were caused by lost or stolen electronic portable devices, such as laptops. In addition, BNA’s Privacy Law Watch reports that 80% of medical identity theft cases are caused by health organizations’ staff. As a result, portable media and dishonest employees are among the most likely causes of a security breach.

HIPAA covered entities also should implement a procedure to respond to suspected breaches, as mandated by recent revisions to the HIPAA Privacy Rule. A sound procedure will help covered entities, including private practices, to respond promptly to suspected breaches, enabling them to meet the 60-day reporting deadline if their investigation of the breach determines it must be notified to individuals and HHS.

© 2012 Poyner Spruill LLP. All rights reserved.

About the Author

Elizabeth H. Johnson
Partner

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s...

ejohnson@poynerspruill.com
919.783.2971
www.poynerspruill.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.