HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

Two key Son of HIPAA rules mandated by the HITECH Act are now effective.  Both the FTC and HHS have finalized their security breach notification requirements and have assured the regulated community that they have six months to get their collective houses in order.

Please take the time to peruse both the HHS Son of HIPAA security breach notification rule and the FTC Son of HIPAA security breach notification rule.  I discussed the impact of the breach notification rules and their enforcement when they were issued as "guidance" and draft regs in April at HealthCamp Boston and will be posting more information about them in the near future.

A few points to consider for now:

  • The HHS breach notification rule layers encryption standards — how to render health information "unusable, unreadable or indecipherable" — for data at rest, data in use and data in motion, on top of the HIPAA privacy and securty rules.
  • Encryption is not required, but a security breach with respect to non-encrypted data triggers public notice requirements (i.e., alert the media) in addition to data subject notice requirements.
  • The FTC rules widen the net, imposing HIPAA-"covered-entity"-like obligations on business associates including, e.g., PHR vendors and other non-covered-entity repositories of health information. 
  • As an aside, greater regulation of other business associates under HIPAA will be effective in February; business associates will have to implement policies and procedures similar to those now required only of covered entities.
  • Enforcement will be ratcheted up after six months.  Greater sanctions are available for regulators to impose, and the FTC is a tougher enforcer than HHS has been on the HIPAA front to date.

With all this in mind, now is the time to examine policies and procedures, update them to comply with new rules — Son of HIPAA rules and related/overlapping FTC Red Flag Rules (effective November 1) and state data security rules — train staff to follow the policies and procedures consistently, and communicate commitment to these standards to your various consituencies: patients, other health care providers, business partners, etc. 

The Harlow Group LLC stands ready to assist covered entities and PHR providers in assessing the regulatory landscape, conducting an audit of current policies and procedures, and moving from a gap analysis to developing a fully compliant program and staying ahead of the curve going forward.  Please be in touch to learn more about our approach.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting


  1. D. Kellus Pruitt DDS says

    Won’t a data breach mean certain bankruptcy anyway? Why should a provider be worried about HIPAA fines?

    D. Kellus Pruitt DDS

  2. says

    With or without HIPAA, you may be on the hook under state privacy laws in case of a breach.

    The new rule offers a safe harbor: encryption. For short money, you can encrypt your data, thus becoming exempt from patient and public notification requirements under HIPPA.
    Encryption may offer a good defense under state law too.


  1. Son of HIPAA Breach Notification Rules

    Health care providers: If your patient records aren’t already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government — as well as by some private payors and self-insured employers — to…

  2. Health-care Data Tracking | Electronic Health Record (EHR)

    HIPAA Security Rule Expanded Patient Data: Account for Access-Disclosure IT Logs, Control, Meta-data, Audit Trails Congress imposed a demanding new data security regime on all healthcare organizations. Congress more or less expects the industry (hospit…