Health care breach notification mandated

Share this article:
Two new rules were created this week requiring health care organizations, and other entities that interact with personal health records (PHRs), to issue notifications in the event of a data breach.

Both rules were created as part of the American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama in February.

An interim final rule, issued Wednesday by the U.S. Department of Health and Human Services (HHS), requires health care organizations subject to Health Insurance Portability and Accountability Act (HIPAA) regulations to notify individuals whose information has been breached, when the breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS annually.

The rule also applies to business associates of health care organizations.

“This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care,” Robinsue Frohboese, acting director and principal deputy director of the HHS Office for Civil Rights, said in a statement. “These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”

A similar final rule issued by the Federal Trade Commission this week requires web-based businesses that collect consumers' health information, including vendors and online applications that interact with PHRs, to issue notifications if a breach occurs. 

Meanwhile, on Thursday nearly $1.2 billion in grants became available to hospitals and health care providers to help facilitate the transition to electronic health records, the White House announced. The grants are funded by the ARRA.

"Expanding the use of electronic health records is fundamental to reforming our health care system," HHS Secretary Kathleen Sebelius said in a statement. "Electronic health records can help reduce medical errors, make health care more efficient and improve the quality of medical care for all Americans.”

Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told on Thursday that there are security and privacy concerns with the move to digital health care records.

“Hospitals are now targeted by insiders and professional criminals trying to access health information for financial gain,” Levin said.

But, ultimately, computerized health care records could reduce costs, result in easy backups and data recovery, and actually improve security, Levin said.

“Electronic health care records can be more secure than paper records,” Levin said.

For example, companies can implement technologies that keep a record of everyone that has accessed the records -- something they can't do with paper records, Levin said.

Share this article:

Next Article in News

Sign up to our newsletters

More in News

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

Study: Asian Android users at higher risk of malware exposure

Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.