Privacy and Security Round-up – Colorado Data Breach Law, Guidance from OCR
Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.
New Colorado Data Breach Law
Our Privacy and Security colleagues recently blogged about a new Colorado law that imposes strict requirements on entities that maintain, own, or license personal identifying information of Colorado residents. The law broadly defines “personal identifying information” as a Social Security number; a person identification number; a password or passcode; a driver’s license or identification card number; a passport number; biometric data; an employer, student, or military identification number; or a financial transaction device. In addition, the law requires entities to report breaches of such data within 30 days of discovery.
Colorado’s law is a good reminder for HIPAA covered entities that they need to comply with both HIPAA and state requirements. Certain aspects of the Colorado law impose stricter requirements than HIPAA, so covered entities cannot rely solely on compliance with HIPAA and presume that they are satisfying all of their privacy and security obligations. One noteworthy example of differing requirements is Colorado’s new 30-day timeframe for breach reporting, which is half of HIPAA’s 60-day timeframe. Unlike some states’ laws, the Colorado law does not provide an exception for covered entities and business associates that comply with their obligations under the HIPAA breach notification rule. HIPAA covered entities must be aware of the state privacy and breach notification laws in the states in which they operate, which can be especially difficult for entities that operate across several states or nationwide. The Mintz Matrix, which tracks data breach laws in all 50 states, is a useful resource for these types of entities.
New Guidance from OCR on Authorizations for Research
On June 14, 2018, OCR issued new interim guidance on individual authorizations for the use and disclosure of protected health information (“PHI”) for future research. The guidance was mandated by the 21st Century Cures Act, which required HHS to issue clarifications on how authorizations for use or disclosure for future research should be handled. The guidance walks through the mandatory elements of any authorization under HIPAA—a useful refresher even for those entities not involved in research—and then addresses questions specifically related to research.
- Purpose – In order to be valid under HIPAA, an authorization must describe the purpose for which the use or disclosure is being made. In the guidance, OCR reiterated its position from the preamble to the Omnibus Rule that an authorization sufficiently describes the purpose of the use or disclosure if it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for future research.
- Expiration – The guidance confirms that for research authorizations, valid statements of expiration could include “at the end of the research study,” “none,” or “until revoked by the individual.”
- Revocation – HIPAA requires that individuals have the opportunity to revoke authorizations and that such revocations are valid except to the extent the covered entity has taken action in reliance on the authorization. The guidance provides that a covered entity conducting research could continue to use PHI obtained before the revocation if it is necessary to maintain the integrity of the research. OCR gives the specific examples of accounting for the subject’s withdrawal from the study and reporting adverse events as actions taken in reliance on the authorization. Additionally, OCR clarified that a revocation is not effective until the covered entity receives the revocation or has knowledge of it. The guidance describes a scenario in which a non-covered entity researcher obtains an authorization from a study subject and a covered entity discloses PHI on the basis of that authorization. If the study subject subsequently provides a revocation of the authorization to the researcher, the covered entity would not have knowledge of the revocation unless the research provides a copy of the revocation.
- Revocation Reminders -Thankfully for covered entities involved in research, OCR confirmed that while entities may provide reminder of the right to revoke, such reminders are not required by HIPAA.
In the guidance, OCR confirmed that the guidance is intended to be interim while the agency conducts additional inquiries and discussions on the issue.
Stayed Tuned for More from OCR
We continue to monitor updates from OCR. This spring’s Unified Agenda of Regulatory and Deregulatory Actions includes a few items to watch related to HIPAA.
- An Advanced Notice of Propose Rulemaking (ANPRM) on establishing a methodology for sharing civil money penalties and settlements with individuals impacted by HIPAA breaches.
- An ANPRM related to changes to the HIPAA Privacy Rule requirements for providing an accounting of disclosures to individuals. This ANPRM would also withdraw the prior 2011 Notice of Proposed Rulemaking (NPRM) on the accounting rule.
- An NPRM modifying the requirement that a covered entity obtain an individual’s written acknowledgement of his or her receipt of the entity’s Notice of Privacy Practices (or document good faith efforts to obtain such acknowledgement).
- An NPRM related to disclosing PHI to the family members of incapacitated patients.
We’ll provide updates on these items if and when they come to fruition.