Trial sites to be issued fines if they dont notify patients of data breaches
Clinical trial sites that do not adhere to the language written in the American Recovery and Reinvestment Act (ARRA) of 2009 requiring facilities to divulge privacy breaches to their patients, could pay up to a $50,000 penalty per violation.
The legislation, effective Sept. 23, mandated clinics to unveil any “unauthorized acquisition, access, use or disclosure of protected health information which comprises the security or privacy of such information” to their patients.
According to the regulations, all notifications are required to be sent to the individual whose information was accessed unjustifiably by an outside source via first-class mail within 60 days of the discovered breach.
The Secretary of Health and Human Services will keep a running log of all information disclosures that affect less than 500 individuals, and must send out an immediate notification if a violation affects 500 individuals or more.
The policy mandates that trial sites provide the affected individuals with:
The HHS Secretary will enforce a three-tier penalty system for trial sites that do not comply with or do not report breaches of privacy:
All rules and penalties will be enforced beginning Feb. 23, 2010.
The legislation, effective Sept. 23, mandated clinics to unveil any “unauthorized acquisition, access, use or disclosure of protected health information which comprises the security or privacy of such information” to their patients.
According to the regulations, all notifications are required to be sent to the individual whose information was accessed unjustifiably by an outside source via first-class mail within 60 days of the discovered breach.
The Secretary of Health and Human Services will keep a running log of all information disclosures that affect less than 500 individuals, and must send out an immediate notification if a violation affects 500 individuals or more.
The policy mandates that trial sites provide the affected individuals with:
- A description of the type of information accessed during the breach;
- Steps an individual should take to best protect themselves from harm;
- How the privacy breach is being investigated; and
- Contact information that the individual can use for further information.
The HHS Secretary will enforce a three-tier penalty system for trial sites that do not comply with or do not report breaches of privacy:
- Legislation defines the first tier as “noncompliance due to willful neglect,” which states that “the person did not know and by exercising reasonable diligence would not have known that such person violated such provision.”
- In cases which establish that “the violation was due to reasonable cause and not to willful neglect,” trial sites will pay a $1,000 penalty, and in cases of “willful neglect” a $10,000 penalty will be allotted.
- As violations are rectified penalties will be a minimum $10,000 and not exceed $250,000. Those violations which remain unresolved will have a minimum penalty of $50,000 to an upward of $1.5 million.
All rules and penalties will be enforced beginning Feb. 23, 2010.