July 20, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

July 18, 2019

Subscribe to Latest Legal News and Analysis

July 17, 2019

Subscribe to Latest Legal News and Analysis

Privacy and Security Round-up – Colorado Data Breach Law, Guidance from OCR

Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.

New Colorado Data Breach Law

Our Privacy and Security colleagues recently blogged about a new Colorado lawthat imposes strict requirements on entities that maintain, own, or license personal identifying information of Colorado residents. The law broadly defines “personal identifying information” as a Social Security number; a person identification number; a password or passcode; a driver’s license or identification card number; a passport number; biometric data; an employer, student, or military identification number; or a financial transaction device. In addition, the law requires entities to report breaches of such data within 30 days of discovery.

Colorado’s law is a good reminder for HIPAA covered entities that they need to comply with both HIPAA and state requirements. Certain aspects of the Colorado law impose stricter requirements than HIPAA, so covered entities cannot rely solely on compliance with HIPAA and presume that they are satisfying all of their privacy and security obligations. One noteworthy example of differing requirements is Colorado’s new 30-day timeframe for breach reporting, which is half of HIPAA’s 60-day timeframe. Unlike some states’ laws, the Colorado law does not provide an exception for covered enities and business associates that comply with their obligations under the HIPAA breach notification rule. HIPAA covered entities must be aware of the state privacy and breach notification laws in the states in which they operate, which can be especially difficult for entities that operate across several states or nationwide. 

New Guidance from OCR on Authorizations for Research

On June 14, 2018, OCR issued new interim guidance on individual authorizations for the use and disclosure of protected health information (“PHI”) for future research. The guidance was mandated by the 21st Century Cures Act, which required HHS to issue clarifications on how authorizations for use or disclosure for future research should be handled. The guidance walks through the mandatory elements of any authorization under HIPAA—a useful refresher even for those entities not involved in research—and then addresses questions specifically related to research.

  • Purpose – In order to be valid under HIPAA, an authorization must describe the purpose for which the use or disclosure is being made. In the guidance, OCR reiterated its position from the preamble to the Omnibus Rule that an authorization sufficiently describes the purpose of the use or disclosure if it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for future research.
  • Expiration – The guidance confirms that for research authorizations, valid statements of expiration could include “at the end of the research study,” “none,” or “until revoked by the individual.”
  • Revocation – HIPAA requires that individuals have the opportunity to revoke authorizations and that such revocations are valid except to the extent the covered entity has taken action in reliance on the authorization. The guidance provides that a covered entity conducting research could continue to use PHI obtained before the revocation if it is necessary to maintain the integrity of the research. OCR gives the specific examples of accounting for the subject’s withdrawal from the study and reporting adverse events as actions taken in reliance on the authorization. Additionally, OCR clarified that a revocation is not effective until the covered entity receives the revocation or has knowledge of it. The guidance describes a scenario in which a non-covered entity researcher obtains an authorization from a study subject and a covered entity discloses PHI on the basis of that authorization. If the study subject subsequently provides a revocation of the authorization to the researcher, the covered entity would not have knowledge of the revocation unless the research provides a copy of the revocation.
  • Revocation Reminders -Thankfully for covered entities involved in research, OCR confirmed that while entities may provide reminder of the right to revoke, such reminders are not required by HIPAA.

In the guidance, OCR confirmed that the guidance is intended to be interim while the agency conducts additional inquiries and discussions on the issue.

Stayed Tuned for More from OCR

We continue to monitor updates from OCR. This spring’s Unified Agenda of Regulatory and Deregulatory Actions includes a few items to watch related to HIPAA.

  • An Advanced Notice of Propose Rulemaking (ANPRM) on establishing a methodology for sharing civil money penalties and settlements with individuals impacted by HIPAA breaches.
  • An ANPRM related to changes to the HIPAA Privacy Rule requirements for providing an accounting of disclosures to individuals. This ANPRM would also withdraw the prior 2011 Notice of Proposed Rulemaking (NPRM) on the accounting rule.
  • An NPRM modifying the requirement that a covered entity obtain an individual’s written acknowledgement of his or her receipt of the entity’s Notice of Privacy Practices (or document good faith efforts to obtain such acknowledgement).
  • An NPRM related to disclosing PHI to the family members of incapacitated patients.
©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Kate Stewart, Mintz Levin Law Firm, Boston, Health Care Law Attorney
Associate

Kate’s practice involves a variety of regulatory and transactional matters for healthcare providers, including hospitals, physician groups, clinical laboratories, retail health clinics, and pharmacies.  

Kate counsels health care clients on HIPAA compliance, telemedicine practice, licensure and scope of practice issues, clinical trial compliance, physician contracting and the federal Physician Payments Sunshine Act. 

For both Covered Entities and Business Associates, she has advised on initial implementation and updates...

617-348-4427
Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney
Associate

Sarah Beth’s practice focuses on advising health care providers, PBMs, and laboratories on a variety of regulatory issues.

Prior to joining Mintz Levin, Sarah Beth worked as a law clerk with the health staff of the US Senate Committee on Finance, where she researched policy, regulations, and legislation regarding commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act. She also drafted legislation.

In addition, Sarah Beth worked as a law clerk for a legal practice in Washington, DC. Her experience also includes legal internships with a large, nonprofit health care system and with the International Trade Administration of the US Department of Commerce. 

202.434.7453