22 Health Law. 1 (2009-2010)

handle is hein.journals/healaw22 and id is 1 raw text is: THE ABA HEALTH LAW SECTION
HEALT1H
H LAWYER

IN THIS ISSUE
The HITECH Breach Notification
Rules: Understanding the New
Obligations ............................ 1
Race and Ethnicity: BiDil
at the Intersection of Health
Disparities, Pharmacotherapy,
and Law ............................... 14
The Practical Pitfalls of Exclusion
as Applied to Individual Health
Care Providers, Client Entities
and their Counsel ................ 23
Medical Legal Partnerships:
A Key Strategy for Mitigating
the Negative Health Impacts
of the Recession .................. 29
Generic Drugs and Preemption
after Wyeth v. Levine .............. 35
Volume 22, Number 1
October 2009

THE HITECH BREACH
NOTIFICATION RULES:
UNDERSTANDING THE
NEW OBLIGATIONS

Andrew B. Wachler, Esq.
Amy K. Fehn, Esq.
Wachler & Associates, P.C.
Royal Oak, MI
On August 19, 2009, the Department
of Health and Human Services (HHS)
issued an interim final rule with request for
comments on the Breach Notification for
Unsecured Protected Health Information
(the Interim Final Rule).' The Interim
Final Rule was mandated by the Health
Information Technology for Economic
and Clinical Health (HITECH) Act, as
part of the American Recovery and
Reinvestment Act of 2009 (ARRA),2
which was enacted on February 17, 2009.
The Interim Final Rule sets forth the
regulatory requirements for determining
when a breach of unsecured protected
health information has occurred and
dictates how, when and to whom such a
breach must be reported. The Interim
Final Rule also addresses comments and
clarifies certain provisions contained in
the Guidance and Request for Information
issued by HHS on April 17, 2009' related
to technologies and methods available to
secure protected health information.
While the Interim Final Rule sets forth
the obligations for covered entities and
business associates of covered entities that

are subject to HIPAA, the Federal Trade
Commission (FTC) also issued a final
rule imposing similar notification
requirements on vendors of personal
health records (PHRs) and entities
that contract with such vendors.
The Interim Final Rule became
effective on September 23, 2009.
However, HHS has stated that it will not
impose sanctions for failure to provide
notification of breaches discovered
before 180 days from the publication of
the rule, i.e., February 22, 2010.' HHS
has requested additional comments
which are due October 23, 2009 and
could result in further modifications of
the Interim Final Rule in the future.
Definition of Breach
The Interim Final Rule defines a
breach as the acquisition, access, use,
or disclosure of protected health infor-
mation in a manner not permitted under
Subpart E of this part [the HIPAA
Privacy Rule] which compromises the
security or privacy of the protected
health information.6 By definition, a
use or disclosure that violates the
HIPAA Privacy Rule7 is a prerequisite to
the finding of a breach pursuant to the
Interim Final Rule.8 So, for example, a
continued on page 3

What Is HeinOnline?

HeinOnline is a subscription-based resource containing nearly 2,700 academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline with pricing starting as low as $29.95

Access to this content requires a subscription. Please visit the following page to request a quote or trial:

Already a HeinOnline Subscriber?