SEP 24, 2009 5:46am ET

Related Links

Giving SaaS ERP a Second Thought
December 19, 2011
New Product News – December 15, 2011
December 15, 2011
IBM to Buy Irish Social Enterprise Management Provider
December 5, 2011

Web Seminars

Why Data Virtualization Can Save the Data Warehouse
September 17, 2014
Essential Guide to Using Data Virtualization for Big Data Analytics
September 24, 2014

Health Data Breach Rules Become Effective

Print
Reprints
Email

New rules governing consumer notification when the security of their health information is breached go into effect this week. But federal agencies won't enforce the rules for several more months. Both rules were mandated under the American Recovery and Reinvestment Act.

A final rule from the Federal Trade Commission, published Aug. 25 and effective Sept. 24, requires vendors of personal health records--and entities that offer third-party PHRs--to notify consumers of data breaches. In the rule, the FTC noted the quick deadlines that were statutorily mandated and imposed a grace period on enforcement.

"Therefore, the Commission will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered before Feb. 22, 2010," according to the rule. "During this initial time period--after this rule has taken effect but before an entity is subject to an enforcement action--the Commission expects regulated entities to come into full compliance with the final rule."

A separate rule for HIPAA-covered entities, the HHS interim final rule, was published on Aug. 24 with a Sept. 23 effective date. The rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.

The HHS rule also includes updated guidance on how to determine when information is "unsecured" and notification is required. If breached data is unusable, unreadable or indecipherable to unauthorized individuals because of certain encryption or destruction measures taken, notification of the breach is not required.

Because of industry concerns with the quick deadlines and ambiguities in the law, HHS in the rule granted an enforcement grace period. "We will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or Feb. 22, 2010," the HHS interim final rule states. "During this initial time period--after this rule has taken effect but before we are imposing sanctions--we expect covered entities to comply with this subpart and will work with covered entities, through technical assistance and voluntary corrective action, to achieve compliance."

Both rules are available in the Federal Register at gpoaccess.gov/fr/index.html. Under "Browse the Table of Contents from back issues," click "Go" and select the Aug. 24 and Aug. 25 issues.

This article can also be found at HealthDataManagement.com.

Get access to this article and thousands more...

All Information Management articles are archived after 7 days. REGISTER NOW for unlimited access to all recently archived articles, as well as thousands of searchable stories. Registered Members also gain access to:

  • Full access to information-management.com including all searchable archived content
  • Exclusive E-Newsletters delivering the latest headlines to your inbox
  • Access to White Papers, Web Seminars, and Blog Discussions
  • Discounts to upcoming conferences & events
  • Uninterrupted access to all sponsored content, and MORE!

Already Registered?

Filed under:

Advertisement

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Twitter
Facebook
LinkedIn
Login  |  My Account  |  White Papers  |  Web Seminars  |  Events |  Newsletters |  eBooks
FOLLOW US
Please note you must now log in with your email address and password.