Become an HCCA MemberLoginSite MapSearchContact HCCAHome Page
   
HCCAnet | HCCA's Social Network
Member Center
About HCCA
Shop Online
Events
Sponsorship Opportunities
Compliance Publications
Compliance Resources
CHC Certification
CHRC Certification
CHC-F Certification
Health Care Compliance Job Board


Click to verify BBB accreditation and to see a BBB report.

 

Print this page


Health Information Security & Data Breach Under HITECH Act

September 17, 2009  | 12:00 pm CT (90 minutes) | 1.2 CEUs

Order CD (PDF)                     See it now with Quick View 

Cynthia Marcotte Stamer, Partner & Health Practice Leader, Curran Tomko Tarski LLP
Raj Mehta, CPA, CITP, CISA, CISSP, CIPP, Partner, Deloitte & Touche LLP

Health care providers, health plans, health clearinghouses and their business associates must start complying with new federal health information data breach notification rules on September 24, 2009 released by the Department of Health and Human Services (HHS) on August 19, 2009. 

The Health Care Compliance Association invites you to  catch up on what these new rules mean for your organization and how it must respond by participating in the “Health Information Security & Data Breach Under HITECH Act” on Thursday, September 17, 2009 from Noon to 1:30 P.M. Central Time.  The briefing will cover:

  • Who Must Comply
  • How To Qualify Protected Health Information As Exempt From Breach Regulations As “Secure”
  • What Is Considered A Breach of Unsecured Protected Health Information
  • What Steps Must a Covered Entity Take If A Breach Of Unsecured Protected Information Happens
  • What Liabilities Do Covered Entities Face For Non-Compliance
  • Interrelationship of the Breach Regulation With Impending FTC Red Flag Rules
  • Other Recent Developments
  • Practical Tips For Assessing, Planning and Moving to Compliance
  • Participant Questions
  • More

These new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) require health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability (HIPAA) to provide certain breach notifications following a “breach” of “unsecured” protected health information beginning September 24, 2009.  The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). 

The Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.  Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of ‘unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements. 

For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the covered entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act.  Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information will be considered “unsecured” for purposes of the HITECH Act.  Concurrent with its publication of the Breach Rules, HHS also released guidance updating and clarifying this previously issued guidance.

Register online                        Register by fax

About The Presenters

Cynthia Marcotte Stamer, Partner & Health Practice Leader, Curran Tomko Tarski LLP,
A longstanding member of the HCCA, Cynthia Marcotte Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information and other employment, health care and privacy concerns

Raj Mehta, CPA, CITP, CISA, CISSP, CIPP, Partner, Deloitte & Touche LLP
Raj is a Partner with Deloitte & Touche's Enterprise Risk Services.  Raj has over fourteen years of experience in area of information security, privacy, IT Risk Management and Governance.