Two new rules were created this week requiring health care organizations, and other entities that interact with personal health records (PHRs), to issue notifications in the event of a data breach.
Both rules were created as part of the American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama in February.
An interim final rule, issued Wednesday by the U.S. Department of Health and Human Services (HHS), requires health care organizations subject to Health Insurance Portability and Accountability Act (HIPAA) regulations to notify individuals whose information has been breached, when the breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS annually.
The rule also applies to business associates of health care organizations.
“This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care,” Robinsue Frohboese, acting director and principal deputy director of the HHS Office for Civil Rights, said in a statement. “These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”
A similar final rule issued by the Federal Trade Commission this week requires web-based businesses that collect consumers’ health information, including vendors and online applications that interact with PHRs, to issue notifications if a breach occurs.
Meanwhile, on Thursday nearly $1.2 billion in grants became available to hospitals and health care providers to help facilitate the transition to electronic health records, the White House announced. The grants are funded by the ARRA.
“Expanding the use of electronic health records is fundamental to reforming our health care system,” HHS Secretary Kathleen Sebelius said in a statement. “Electronic health records can help reduce medical errors, make health care more efficient and improve the quality of medical care for all Americans.”
Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told SCMagazineUS.com on Thursday that there are security and privacy concerns with the move to digital health care records.
“Hospitals are now targeted by insiders and professional criminals trying to access health information for financial gain,” Levin said.
But, ultimately, computerized health care records could reduce costs, result in easy backups and data recovery, and actually improve security, Levin said.
“Electronic health care records can be more secure than paper records,” Levin said.
For example, companies can implement technologies that keep a record of everyone that has accessed the records — something they can’t do with paper records, Levin said.