Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

On Thursday, October 7, 2010, from 1:00PM to 2:00PM, Post & Schell, in collaboration with Kroll Fraud Solutions, will present a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick will highlight the key provisions in the NPRM, including:

• New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
• Providing patients with e-copies of their PHI
• Extension of HIPAA Privacy and Security Rules to business associates
• Effect of new rules on business associate agreements

In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, who will discuss the practical implications of this new set of regulations on covered entities and business associates, including:

• Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
• Reviewing current contractual agreements and relationships with business associates and their subcontractors
• Training staff of the organization
• Breach preparedness and breach response

You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the webinar: register now. After registering, you will receive log-in information for this webinar by
e-mail.

For more information, contact Vadim Schick at vschick@postschell.com or 202-661-6945.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we mentioned previously, California has the strictest data breach notification statute in the country, allowing entities only five days to report a breach, but not permitting even the customary delays  for law enforcement efforts. California Department of Public Health (CDPH) is charged with enforcement of this statute, contained in Section 1280.15 of the California Code, and may impose the maximum of $250,000 fine for each breach incident.

CDPH imposed the maximum $250,000 fine on Lucile Salter Packard Children's Hospital (LSPCH) at Stanford University for failing to report within five days a breach involving 532 patients.  The breach resulted from an employee of LSPCH stealing a laptop containing PHI for these 532 patients.

The somewhat shocking part is that CDPH levied the maximum fine on this hospital, even though the hospital reported this breach after an investigation less than two weeks later.  LSPCH discovered the breach on February 1, 2010, but did not report the breach until February 19, 2010.  In fact, CDPH learned of the breach from the hospital's notice. While a clear violation of the five-day rule (however just or draconian the rule may be), it does not seem to be an egregious violation which would merit the maximum fine. LSPCH believes that its notification to the state and to the affected individuals was reasonable and timely and is appealing the fine.

• Email This
• Print
• Comments
• Trackbacks
• Share Link