HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

September 25, 2009

Two key Son of HIPAA rules mandated by the HITECH Act are now effective.  Both the FTC and HHS have finalized their security breach notification requirements and have assured the regulated community that they have six months to get their collective houses in order.

Please take the time to peruse both the HHS Son of HIPAA security breach notification rule and the FTC Son of HIPAA security breach notification rule.  I discussed the impact of the breach notification rules and their enforcement when they were issued as "guidance" and draft regs in April at HealthCamp Boston and will be posting more information about them in the near future.

A few points to consider for now:

  • The HHS breach notification rule layers encryption standards — how to render health information "unusable, unreadable or indecipherable" — for data at rest, data in use and data in motion, on top of the HIPAA privacy and securty rules.
  • Encryption is not required, but a security breach with respect to non-encrypted data triggers public notice requirements (i.e., alert the media) in addition to data subject notice requirements.
  • The FTC rules widen the net, imposing HIPAA-"covered-entity"-like obligations on business associates including, e.g., PHR vendors and other non-covered-entity repositories of health information. 
  • As an aside, greater regulation of other business associates under HIPAA will be effective in February; business associates will have to implement policies and procedures similar to those now required only of covered entities.
  • Enforcement will be ratcheted up after six months.  Greater sanctions are available for regulators to impose, and the FTC is a tougher enforcer than HHS has been on the HIPAA front to date.

With all this in mind, now is the time to examine policies and procedures, update them to comply with new rules — Son of HIPAA rules and related/overlapping FTC Red Flag Rules (effective November 1) and state data security rules — train staff to follow the policies and procedures consistently, and communicate commitment to these standards to your various consituencies: patients, other health care providers, business partners, etc. 

The Harlow Group LLC stands ready to assist covered entities and PHR providers in assessing the regulatory landscape, conducting an audit of current policies and procedures, and moving from a gap analysis to developing a fully compliant program and staying ahead of the curve going forward.  Please be in touch to learn more about our approach.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Related Posts

  • David Harlow's Health 2.0 vlog

    At the September 2011 Health 2.0 conference, I asked attendees two questions: (1) What is…

  • Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who's Ready?

    HIMMS Analytics surveyed about 250 hospital and business associate representatives, and came up with some…

  • Lessons from the Anthem breach

    Into the Breach Anthem experienced a major data breach last week, and reportedly some records…

Filed Under: EHR, Health 2.0, Health care policy, Health Law, HIPAA, HIT, Home Health, Hospitals, IDTF, Nursing Facilities, Physicians, Privacy

« David Harlow quoted on retail clinics' future direction in Supermarket News
Blawg Review Bucket List Tour Hits Beantown »

Comments

  1. D. Kellus Pruitt DDS says

    September 26, 2009 at 10:55 am

    Won’t a data breach mean certain bankruptcy anyway? Why should a provider be worried about HIPAA fines?

    D. Kellus Pruitt DDS

  2. David Harlow says

    September 27, 2009 at 5:39 pm

    With or without HIPAA, you may be on the hook under state privacy laws in case of a breach.

    The new rule offers a safe harbor: encryption. For short money, you can encrypt your data, thus becoming exempt from patient and public notification requirements under HIPPA.
    Encryption may offer a good defense under state law too.

Trackbacks

  1. HealthBlawg says:
    November 11, 2009 at 1:52 pm

    Son of HIPAA Breach Notification Rules

    Health care providers: If your patient records aren’t already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government — as well as by some private payors and self-insured employers — to…

  2. Electronic Data Records Law | How to Win E-Discovery says:
    March 28, 2010 at 3:27 pm

    Health-care Data Tracking | Electronic Health Record (EHR)

    HIPAA Security Rule Expanded Patient Data: Account for Access-Disclosure IT Logs, Control, Meta-data, Audit Trails Congress imposed a demanding new data security regime on all healthcare organizations. Congress more or less expects the industry (hospit…

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]