The New Normal – 60 Minutes to Notify HHS of HIPAA Breach

We all knew it was coming after the Anthem HIPAA Breach, but frankly, the intensity of the swing in the other direction is a bit startling. On February 15, 2015, the Texas Department of Health and Human Services (HHS) posted a new Data Use Agreement (DUA) that applies to ALL contractors and subcontractors that provide services in relation to HHS and:

“…who create, receive, maintain, use, disclose or have access to Confidential Information on behalf of HHS, its programs or clients.

As of this morning, I know of two entities who have already received the notice from Texas that the agreement must be signed. This agreement applies:

“[T]o any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR or that CONTRACTOR may create, receive, maintain, use, disclose or have access to on behalf of HHS…”

Here are some highlights from the agreement.

1) First Notification of Breach of Federal Data – 60 Minutes

“For federal information, including without limitation, Federal Tax Information, Social Security Administration Data, and Medicaid Client Information, within the first, consecutive clock hour of Discovery, and for all other types of Confidential Information not more than 24 hours after Discovery, or in a timeframe otherwise approved by HHS in writing, initially report to HHS’s Privacy and Security Officers via email at:”

2) Formal Notification of Breach – 48 Hours

“48-Hour Formal Notice. No later than 48 consecutive clock hours after Discovery, or a time within which Discovery reasonably should have been made by CONTRACTOR of an Event or Breach of Confidential Information.” (emphasis added)

Of particular note here is the language, “should have been made.” This could have huge implications for covered entities.

3) Data Encryption – All data in motion must be encrypted. All data at rest must be encrypted unless “there is adequate administrative, technical, and physical security, or as otherwise protected as required by rule, regulation or law.” You must also document why you chose not to encrypt data at rest and provide that policy to HHS.

4) All Breach, Privacy and Security Policies must be provided to HHS.

5) Pre-Approval from HHS on Breach Notification Method and Contents

[C]ontractor must obtain HHS’s prior written approval of the time, manner and content of any notification to Individuals, regulators or third-parties, or any notice required by other state or federal authorities.

What is particularly potent about these requirements is that they apply to all contracts, even those already signed and in effect. This contract is mandatory and applies retroactively to current contracts. While this new policy is only in Texas for now, given the scale and scope of the Anthem HIPAA Breach, I think we can anticipate this spreading to other states, fast.

If you want to get ready, bring your legal, IT and management to the table. Evaluate your HIPAA breach, security, and privacy policies. Utilize a HIPAA compliance tool such as the NIST toolkit and perform a Security Risk Analysis.  Finally, take a hard look at your encryption policies and what you can do to improve them. Now is the time to act.

/s/ HH @legallevity

2 thoughts on “The New Normal – 60 Minutes to Notify HHS of HIPAA Breach

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s