Site moved to www.healthblawg.com/2009/09/hitech-act-security-breach-rules-now-effective-federales-give-a-sixmonth-pass.html, redirecting in 1 second...

« David Harlow quoted on retail clinics' future direction in Supermarket News | Main | Blawg Review Bucket List Tour Hits Beantown »

September 25, 2009

HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

Two key Son of HIPAA rules mandated by the HITECH Act are now effective.  Both the FTC and HHS have finalized their security breach notification requirements and have assured the regulated community that they have six months to get their collective houses in order.

Please take the time to peruse both the HHS Son of HIPAA security breach notification rule and the FTC Son of HIPAA security breach notification rule.  I discussed the impact of the breach notification rules and their enforcement when they were issued as "guidance" and draft regs in April at HealthCamp Boston and will be posting more information about them in the near future.

A few points to consider for now:

  • The HHS breach notification rule layers encryption standards -- how to render health information "unusable, unreadable or indecipherable" -- for data at rest, data in use and data in motion, on top of the HIPAA privacy and securty rules.
  • Encryption is not required, but a security breach with respect to non-encrypted data triggers public notice requirements (i.e., alert the media) in addition to data subject notice requirements.
  • The FTC rules widen the net, imposing HIPAA-"covered-entity"-like obligations on business associates including, e.g., PHR vendors and other non-covered-entity repositories of health information. 
  • As an aside, greater regulation of other business associates under HIPAA will be effective in February; business associates will have to implement policies and procedures similar to those now required only of covered entities.
  • Enforcement will be ratcheted up after six months.  Greater sanctions are available for regulators to impose, and the FTC is a tougher enforcer than HHS has been on the HIPAA front to date.

With all this in mind, now is the time to examine policies and procedures, update them to comply with new rules -- Son of HIPAA rules and related/overlapping FTC Red Flag Rules (effective November 1) and state data security rules -- train staff to follow the policies and procedures consistently, and communicate commitment to these standards to your various consituencies: patients, other health care providers, business partners, etc. 

The Harlow Group LLC stands ready to assist covered entities and PHR providers in assessing the regulatory landscape, conducting an audit of current policies and procedures, and moving from a gap analysis to developing a fully compliant program and staying ahead of the curve going forward.  Please be in touch to learn more about our approach.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d83451d52c69e20120a5efa909970c

Listed below are links to weblogs that reference HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear:

» Son of HIPAA Breach Notification Rules from HealthBlawg
Health care providers: If your patient records aren't already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government -- as well as by some private payors and self-insured employers -- to... [Read More]

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Won’t a data breach mean certain bankruptcy anyway? Why should a provider be worried about HIPAA fines?

D. Kellus Pruitt DDS

With or without HIPAA, you may be on the hook under state privacy laws in case of a breach.

The new rule offers a safe harbor: encryption. For short money, you can encrypt your data, thus becoming exempt from patient and public notification requirements under HIPPA.
Encryption may offer a good defense under state law too.

The comments to this entry are closed.