Health care breach notification mandated

Share this article:
Two new rules were created this week requiring health care organizations, and other entities that interact with personal health records (PHRs), to issue notifications in the event of a data breach.

Both rules were created as part of the American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama in February.

An interim final rule, issued Wednesday by the U.S. Department of Health and Human Services (HHS), requires health care organizations subject to Health Insurance Portability and Accountability Act (HIPAA) regulations to notify individuals whose information has been breached, when the breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS annually.

The rule also applies to business associates of health care organizations.

“This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care,” Robinsue Frohboese, acting director and principal deputy director of the HHS Office for Civil Rights, said in a statement. “These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”

A similar final rule issued by the Federal Trade Commission this week requires web-based businesses that collect consumers' health information, including vendors and online applications that interact with PHRs, to issue notifications if a breach occurs. 

Meanwhile, on Thursday nearly $1.2 billion in grants became available to hospitals and health care providers to help facilitate the transition to electronic health records, the White House announced. The grants are funded by the ARRA.

"Expanding the use of electronic health records is fundamental to reforming our health care system," HHS Secretary Kathleen Sebelius said in a statement. "Electronic health records can help reduce medical errors, make health care more efficient and improve the quality of medical care for all Americans.”

Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told SCMagazineUS.com on Thursday that there are security and privacy concerns with the move to digital health care records.

“Hospitals are now targeted by insiders and professional criminals trying to access health information for financial gain,” Levin said.

But, ultimately, computerized health care records could reduce costs, result in easy backups and data recovery, and actually improve security, Levin said.

“Electronic health care records can be more secure than paper records,” Levin said.

For example, companies can implement technologies that keep a record of everyone that has accessed the records -- something they can't do with paper records, Levin said.


Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.