1 / 18

Recent Developments in Subject Data Privacy & Security

Recent Developments in Subject Data Privacy & Security. HIPAA, HITECH, and Things To Think About. Molly G. Huggins Smith Moore Leatherwood LLP | Attorneys at Law Two Hannover Square, Suite 2800 Raleigh, NC 27601 (919) 755-8792 | molly.huggins@smithmoorelaw.com.

maris-garcia
Download Presentation

Recent Developments in Subject Data Privacy & Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Recent Developments in Subject Data Privacy & Security HIPAA, HITECH, and Things To Think About Molly G. Huggins Smith Moore Leatherwood LLP | Attorneys at Law Two Hannover Square, Suite 2800 Raleigh, NC 27601 (919) 755-8792 | molly.huggins@smithmoorelaw.com

  2. HIPAA and HITECH Background • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) • Privacy Regulations (2003): Establish national standards for the privacy of certain health information. • Security Regulations (2005): Establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. • American Recovery and Reinvestment Act of 2009 (“ARRA”) (2/12/2009) • Title XIII: Health Information Technology for Economic and Clinical Health (“HITECH”) Act

  3. HIPAA and Research(No, this part isn’t new) • HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. • http://www.hhs.gov/ocr.privacy/hipaa/understanding/special/research/research.pdf

  4. HITECH(A Little More Recent) • Intended to promote the use of health information technology • Contains provisions that strengthen the civil and criminal enforcement of HIPAA rules.

  5. HITECH: What it Did • Expanded the scope, penalties, and compliance challenges of HIPAA • Increased penalties for HIPAA violations • Creates a private right of action • Establishes breach reporting requirements

  6. HITECH: What It Did • Expanded penalties: • Civil penalties up to $1.5 million per calendar year for all identical violations

  7. HITECH: What It Did • Expanded penalties: • Amount of penalties range based on how egregious the behavior was: • Entity didn’t know of the violation and by exercising reasonable due diligence would not have known • Violation was due to reasonable cause and not to willful neglect • Violation was due to willful neglect

  8. HITECH: What It Did • For HIPAA violations that occur after 2/17/2009, HITECH permits State Attorneys General to bring civil actions on behalf of state residents • Up to $25,000 per year for identical violations • Cost of suit and attorneys fees can be awarded

  9. HITECH: WHAT IT DID • Breach Notification • Under HIPAA, no requirement to notify patients of breaches of PHI • HITECH mandates notifying patients if there has been a breach of PHI

  10. The Really Recent News “We said it, We meant it.” • 2/24/2011 DHHS announced a $1 million settlement for an alleged HIPAA privacy violation involving Massachusetts General Hospital. • 2/4/2011 DHHS imposed a civil penalty of $4.3 million on Cignet Health Center.

  11. [Think, Think, Think]

  12. Suggested Contract Language • Sponsor [and CRO] shall comply with the restrictions in any subject authorization regarding the use, disclosure, and confidentiality of any protected health information (“PHI”), as defined by HIPAA.

  13. Insufficient! • Sponsor [and CRO] shall comply with applicable laws and regulations regarding the confidentiality of protected health information.

  14. Better • Sponsor [and CRO] shall comply with the restrictions contained in any subject authorization regarding the use, confidentiality, and disclosure of the subject’s PHI.

  15. Suggested Contract Language • The Sponsor shall have the right itself or through [a third party/CRO], at mutually agreeable times, and during normal business hours, to audit the site(s) where the Study is being performed. Sponsor shall have binding agreements in place with [CRO or any contractor, agent, or third party] performing such audit on its behalf obligating the [CRO or agent, contractor, or third party] (i) to maintain the confidentiality of all PHI to which it may have access; and (ii) to use the PHI solely as permitted by the Study subject’s authorization and informed consent. In addition to its indemnification obligations under Section ___ of this Agreement, Sponsor shall indemnify, defend, and hold harmless Institution from any and all claims arising from the improper use or disclosure of PHI by any agent, contractor, or third party performing such audit on Sponsor’s behalf.

  16. A Note for Our Sponsors • If you agree to that language, or something similar, be sure you are obtaining a sufficient commitment and indemnification from your CROs or other contractors.

  17. Last Quick Point • Regulations regarding authorizations for “future use” may change. No word yet.

  18. Contact Molly G. Huggins Smith Moore Leatherwood LLP Attorneys at Law Two Hannover Square, Suite 2800 Raleigh, NC 27601 (919) 755-8792 | mollly.huggins@smithmoorelaw.com

More Related