Employment Law Report

Sweeping New Data Breach Notification Regulations Effective September 23

By Erin Brisbay McMahon

If your company is an employer with a self-insured health plan, sweeping new data breach notification regulations issued on August 24, 2009 will impact your company, as well as companies that need to use the health information of your employees to render services to the plan (e.g., third-party administrators).  The regulations, issued by the Department of Health and Human Services (HHS), go into effect September 23, 2009.

While employers aren’t subject to the data breach notification regulations, the self-insured health plans they sponsor are.  Because most employer-sponsored health plans don’t have employees, compliance responsibilities fall to the employer.

A breach of information under the regulations is pretty broadly defined as any access, acquisition, use or disclosure of health information that would violate the HIPAA privacy rule and that would result in significant harm to an individual whose information has been improperly used or disclosed.  Lost or stolen laptops or smart phones that are unencrypted and that can access health information about plan participants or have the health information of plan participants stored on them would be examples of a breach. 

HHS stated that it would not impose sanctions on any entity for failure to make the required notifications for breaches occurring between September 23, 2009 and February 20, 2010.  However, all entities affected by the regulations should adopt a data breach notification policy and train their employees on it by September 23, and must begin logging breaches that occur on and after September 23 for submission to HHS.  For self-insured health plans, this means that the sponsor’s employees involved in plan administration functions need to get up to speed on the data breach notification regulations rapidly so that appropriate compliance measures can be implemented. 

Access the data breach regulations here:  http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

For this Author’s more comprehensive article on the regulations, click here:   Data Breach Article