Wyatt Employment Law Report

Sweeping New Data Breach Notification Regulations Effective September 23

Leave a comment

By Erin Brisbay McMahon

If your company is an employer with a self-insured health plan, sweeping new data breach notification regulations issued on August 24, 2009 will impact your company, as well as companies that need to use the health information of your employees to render services to the plan (e.g., third-party administrators).  The regulations, issued by the Department of Health and Human Services (HHS), go into effect September 23, 2009.

While employers aren’t subject to the data breach notification regulations, the self-insured health plans they sponsor are.  Because most employer-sponsored health plans don’t have employees, compliance responsibilities fall to the employer.

A breach of information under the regulations is pretty broadly defined as any access, acquisition, use or disclosure of health information that would violate the HIPAA privacy rule and that would result in significant harm to an individual whose information has been improperly used or disclosed.  Lost or stolen laptops or smart phones that are unencrypted and that can access health information about plan participants or have the health information of plan participants stored on them would be examples of a breach. 

HHS stated that it would not impose sanctions on any entity for failure to make the required notifications for breaches occurring between September 23, 2009 and February 20, 2010.  However, all entities affected by the regulations should adopt a data breach notification policy and train their employees on it by September 23, and must begin logging breaches that occur on and after September 23 for submission to HHS.  For self-insured health plans, this means that the sponsor’s employees involved in plan administration functions need to get up to speed on the data breach notification regulations rapidly so that appropriate compliance measures can be implemented. 

Access the data breach regulations here:  http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

For this Author’s more comprehensive article on the regulations, click here:   Data Breach Article

Author: Kim Koratsky

Labor & employment lawyer with the Memphis, Tennessee office of Wyatt, Tarrant & Combs, LLP

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s