HIPAA Breach Notification Rule: Safe Harbor & Current Obligations

Interim HIPAA breach notification regulations from the U.S. Department
of Health and Human Services, ("HHS") became effective September 23,
2009, requiring entities to give notice to affected individuals of any
breach of unsecured, protected health information. These rules originate
with the Stimulus Bill and are part of the administration's promotion of
"electronic health records."

Safe Harbor

The new rules contain a safe-harbor. Entities that use HHS-approved
technologies and methodologies that result in the encryption and
destruction of certain health records need not comply with the
notification rules (although notification is still considered a best
practice).

Key to the safe-harbor is the fact that the rules apply only to
breaches of "unsecured" Protected Health Information ("PHI"). The term
"unsecured" refers to PHI that has not been secured through the use of
technology or methodology approved by HHS. HHS Guidance (called the
"HITECH Breach Notification Guidance") describes those approved
technologies and methodologies, making PHI "unusable, unreadable, or
indecipherable to unauthorized individuals". Electronic PHI is secured
when it has been adequately encrypted. Hard copies of PHI can only be
secured when shredded or destroyed such that they cannot be read or
reconstructed.

Current Obligations

A covered entity and a business associate must be able to identify,
record, investigate and report to an affected individual and HHS any
breach occurring after September 23, 2009. A covered entity's work
force must be trained on the new breach notification regulations.
Additionally, a covered entity must include sanctions for violating the
new breach of notification rules, and the sanction must be included in
the covered entity's policies. Therefore, covered entities should
examine their handbooks or other provisions regarding sanctions to
insure that they are broad enough to include sanctions relating to the
breach of notification rules. If not, they need to be updated.

Definition of Breach

If there is a saving grace in all of this, it is that the definition
of a "breach" has been modified as well. The regulations now provide
that a "breach" exists if there is an acquisition, access, use, or
disclosure of PHI in a manner not permitted by the Privacy Rules and
such action "compromises" the security or the privacy of the PHI. The
definition of "compromise" now includes a helpful risk analysis, and
under that analysis the PHI is compromised only if the event poses "a
significant risk of financial, reputational, or other harm to the
individual." In other words, many minor or insignificant breaches may
not pose a significant risk of such harm, and need not be reported to
the affected individual or to HHS. A breach of unsecured PHI is also not
considered to have occurred under certain exceptions:

1. If an unauthorized person to whom the unsecure PHI is disclosed would
not reasonably have been able to retain the PHI;

2. An unintentional acquisition, access, or use of unsecured PHI occurs
by an employee or individual acting under the authority of a HIPAA
covered entity or business associate, but only if (a) the acquisition,
access or use is made in good faith and within the course and scope of
employment or other professional relationship with the covered entity or
business associate and (b) such unsecured PHI is not further acquired,
accessed, used, disclosed by anyone; or

3. Where the inadvertent disclosure occurs from an individual who is
otherwise authorized access to unsecure PHI at a facility operated by a
HIPAA covered entity or business associate, to another similarly
situated individual at the same facility, but only if the unsecured PHI
is not further accessed, acquired, used or disclosed without
authorization.

HIPAA covered entities and business associates should each identify
their business associates, agents and sub-contractors and review their
agreements to include compliance with the new regulations. Handbooks
and training need to be updated as well.

Kevin McManaman

Knudsen, Berkheimer, Richardson & Endacott, LLP

3800 VerMaas Pl

Suite 200

Lincoln NE 68502

402 475 7011

402 475 8912 (F)

www.knudsenlaw.com

krm@knudsenlaw.com

Long-Term Care Insurance Provisions in the Pension Protection Act Take Effect January 1, 2010

The Pension Protection Act of 2006 (PPA) was signed into law on
August 17, 2006. Included among the many provisions in the PPA is
Section 844 which, in part, encourages individuals to purchase insurance
for future long-term care needs. This Section takes effect January 1,
2010 and is effective for contracts issued after December 31, 1996.

Section 844 of the PPA addresses the treatment of long-term care
insurance riders that are added to annuity contracts or life insurance
policies. In the past, the Tax Code has prohibited combinations of
long-term care insurance policies with annuity contracts because payouts
from these policies were taxed differently under the Code. However,
beginning January 1, 2010, the PPA permits long-term care insurance
riders to be attached to annuity contracts. Once these riders are
attached, they will be treated as separate contracts which are
independent from the original annuity contracts. Accordingly, when a
rider attached to an annuity contract is a tax-qualified long-term care
rider, benefits paid out under the rider for long-term care will
generally be paid as tax-free long-term care insurance benefits, if
certain triggering events occur.

These new "combination" policies are expected to be desirable to
individuals previously concerned with the "use-it-or-lose-it" feature
which is found in most stand alone long-term care insurance policies
because the annuities included in the policies can be utilized, even if
no long-term care services are ever needed by the policyholders.

Laura Troshynski

Knudsen, Berkheimer, Richardson & Endacott, LLP

3800 VerMaas Pl

Suite 200

Lincoln NE 68502

402 475 7011

402 475 8912 (F)

www.knudsenlaw.com

Making Sure Arbitration Agreements are Enforceable

Long term care facilities have recently begun offering residents the
option of agreeing to arbitrate disputes that arise during residency.
An arbitration agreement may benefit both facilities and residents as an
alternative to litigation, by reducing the expense, delay and emotional
stress associated with court trials. These agreements are usually
enforceable under the Federal Arbitration Act.

Arbitration agreements typically are signed upon admission to the
facility, along with other agreements covering residency and care.
Often they are signed by family members or others who accompany the
resident. This may occur because of physical infirmity, mental
incapacity or other reasons.

The Nebraska Supreme Court recently held an arbitration agreement
invalid that was signed by a nursing home resident's son in Koricic v.
Beverly Enterprises. The son wasn't the resident's appointed
conservator or guardian and had no power of attorney. Even so, the
trial court had found the resident had given her son permission to sign
papers for her admission to the nursing home.

On appeal the Nebraska high court reversed, concluding the mother's
statements authorizing her son to sign papers didn't include the
arbitration agreement, because it wasn't required as a condition for her
admission. Since the son wasn't legally authorized to sign the
arbitration agreement it was not binding on his mother's estate.

Koricic demonstrates that nursing home admissions personnel have to
insure that anyone signing an arbitration agreement has legal capacity
to enter into a binding commitment for the resident.

Unless the resident is incompetent, the best practice generally calls
for the resident to personally sign the arbitration agreement and other
admissions documents.

If someone other than a resident must sign admissions documents, they
must have legal authority to sign for the resident. That generally
means the one signing must be a court-appointed conservator or guardian,
or else possess a power of attorney, signed when the resident was
competent, authorizing the signer to execute the document on the
resident's behalf.

Knudsen Law Firm can provide long term care facilities with properly
drafted arbitration agreements. Just as important, we can advise on
training admissions staff to insure a legally authorized person signs
the agreement, to make it enforceable and effective.

Knudsen, Berkheimer, Richardson & Endacott, LLP

3800 VerMaas Pl

Suite 200

Lincoln NE 68502

402 475 7011

402 423 4768 (H)

402 440 3731 (M)

402 475 8912 (F)

www.knudsenlaw.com