|
<br />17
<br />In response to COVID-19, DHHS Office of Civil Rights (“OCR”) announced that it will utilize its
<br />enforcement discretion to forego imposition of penalties related to, for example, use of certain technologies or
<br />disclosures for certain public health activities. Additionally, OCR has promulgated notice of extensive proposed
<br />rulemaking related to expanded patient access and electronic health record sharing. Presently, it is impossible to
<br />predict the extent to which OCR will implement these policies under the new Biden Administration, and, as such,
<br />impossible to predict the extent to which the policies may impact the Project in the future.
<br />
<br />HITECH. Provisions in the Health Information Technology for Economic and Clinical Health Act (the
<br />“HITECH Act”), enacted as part of the American Recovery and Investment Act of 2009, increased the maximum civil
<br />monetary penalties for violations of HIPAA and granted enforcement authority of HIPAA to state attorneys general.
<br />The HITECH Act also (i) extends the reach of HIPAA beyond “covered entities” to include the direct regulation of
<br />“business associates,” (ii) imposes a breach notification requirement on HIPAA covered entities and business
<br />associates, (iii) further limits certain uses and disclosures of individually identifiable health information, and (iv)
<br />restricts covered entities’ marketing communications.
<br />The breach notification obligation, in particular, may expose covered entities to heightened liability. Under
<br />HITECH, in the event of a data privacy breach, covered entities are required to notify affected individuals and the
<br />federal government. If more than 500 individuals are affected by the breach (1) the covered entity must also notify the
<br />media and (2) the federal government posts a description of the breach on its website. Although HIPAA does not
<br />provide for a private right of action, these reporting obligations increase the risk of government enforcement as well
<br />as class action lawsuits filed under state privacy or consumer protection laws, especially if large numbers of
<br />individuals are affected by a breach.
<br />The HITECH Act revises the civil monetary penalties associated with violations of HIPAA as well as
<br />provides state attorneys general with authority to enforce the HIPAA privacy and security regulations in some cases.
<br />On January 25, 2013, DHHS issued comprehensive modifications to the existing HIPAA regulations to
<br />implement the requirements of the HITECH Act, (the “HIPAA Omnibus Rule”). Key aspects of the HIPAA Omnibus
<br />Rule include, but are not limited to: (i) a standard for what constitutes a breach of private health information, (ii)
<br />establishing four levels of culpability with respect to civil monetary penalties assessed for HIPAA violations, (iii)
<br />direct liability of business associates for certain violations of HIPAA, (iv) modifications to the rules governing
<br />research, (v) stricter requirements regarding non-exempt marketing practices, (vi) modification and re-distribution of
<br />notices of privacy practices, and (vii) stricter requirements regarding the protection of genetic information. In addition,
<br />the DHHS Office of Civil Rights, which is the government office tasked with enforcing HIPAA, has stated that it has
<br />transitioned from education of new HITECH requirements to enforcement in its implementation of the law. Recent
<br />settlements of HIPAA violations and civil monetary penalties have reached millions of dollars. Any violation of
<br />HIPAA, regardless of intent or scope, may result in penalties or settlement amounts that are material to a covered
<br />entity health care provider or health plan.
<br />Minnesota Privacy Regulations. Under Minnesota’s Data Breach Notification requirements, contained in
<br />Section 325E.61 of the Minnesota Statutes, any person or business that conducts business in Minnesota, and owns or
<br />licenses data that includes personal information, is required to disclose any breach of the security of the system
<br />following discovery or notification to any resident of Minnesota whose unencrypted personal information was, or is
<br />reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most
<br />expedient time possible and without unreasonable delay. The statute defines “breach of the security of the system” to
<br />mean the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of
<br />personal information maintained by the person or business. “Personal information” is defined as an individual’s first
<br />name or first initial and last name in combination with any one or more of the following data elements, when the data
<br />element is not secured by encryption or another method of technology that makes electronic data unreadable or
<br />unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data
<br />was also acquired: (1) social security number; (2) driver’s license number or Minnesota identification card number;
<br />or (3) account number or credit or debit card number, in combination with any required security code, access code, or
<br />password that would permit access to the individual’s financial account. The Attorney General of Minnesota enforces
<br />the law and there is a private right of action.
|