HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

September 25, 2009

Two key Son of HIPAA rules mandated by the HITECH Act are now effective.  Both the FTC and HHS have finalized their security breach notification requirements and have assured the regulated community that they have six months to get their collective houses in order.

Please take the time to peruse both the HHS Son of HIPAA security breach notification rule and the FTC Son of HIPAA security breach notification rule.  I discussed the impact of the breach notification rules and their enforcement when they were issued as "guidance" and draft regs in April at HealthCamp Boston and will be posting more information about them in the near future.

A few points to consider for now:

  • The HHS breach notification rule layers encryption standards — how to render health information "unusable, unreadable or indecipherable" — for data at rest, data in use and data in motion, on top of the HIPAA privacy and securty rules.
  • Encryption is not required, but a security breach with respect to non-encrypted data triggers public notice requirements (i.e., alert the media) in addition to data subject notice requirements.
  • The FTC rules widen the net, imposing HIPAA-"covered-entity"-like obligations on business associates including, e.g., PHR vendors and other non-covered-entity repositories of health information. 
  • As an aside, greater regulation of other business associates under HIPAA will be effective in February; business associates will have to implement policies and procedures similar to those now required only of covered entities.
  • Enforcement will be ratcheted up after six months.  Greater sanctions are available for regulators to impose, and the FTC is a tougher enforcer than HHS has been on the HIPAA front to date.

With all this in mind, now is the time to examine policies and procedures, update them to comply with new rules — Son of HIPAA rules and related/overlapping FTC Red Flag Rules (effective November 1) and state data security rules — train staff to follow the policies and procedures consistently, and communicate commitment to these standards to your various consituencies: patients, other health care providers, business partners, etc. 

The Harlow Group LLC stands ready to assist covered entities and PHR providers in assessing the regulatory landscape, conducting an audit of current policies and procedures, and moving from a gap analysis to developing a fully compliant program and staying ahead of the curve going forward.  Please be in touch to learn more about our approach.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: EHR, Health 2.0, Health care policy, Health Law, HIPAA, HIT, Home Health, Hospitals, IDTF, Nursing Facilities, Physicians, Privacy

you might also like:

  1. Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who's Ready?

  2. Son of HIPAA Breach Notification Rules

  3. ONC announces HITECH amendments to HIPAA privacy, security and enforcement rules

« David Harlow quoted on retail clinics' future direction in Supermarket News
Blawg Review Bucket List Tour Hits Beantown »

Comments

  1. D. Kellus Pruitt DDS says

    September 26, 2009 at 10:55 am

    Won’t a data breach mean certain bankruptcy anyway? Why should a provider be worried about HIPAA fines?

    D. Kellus Pruitt DDS

  2. David Harlow says

    September 27, 2009 at 5:39 pm

    With or without HIPAA, you may be on the hook under state privacy laws in case of a breach.

    The new rule offers a safe harbor: encryption. For short money, you can encrypt your data, thus becoming exempt from patient and public notification requirements under HIPPA.
    Encryption may offer a good defense under state law too.

Trackbacks

  1. HealthBlawg says:
    November 11, 2009 at 1:52 pm

    Son of HIPAA Breach Notification Rules

    Health care providers: If your patient records aren’t already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government — as well as by some private payors and self-insured employers — to…

  2. Electronic Data Records Law | How to Win E-Discovery says:
    March 28, 2010 at 3:27 pm

    Health-care Data Tracking | Electronic Health Record (EHR)

    HIPAA Security Rule Expanded Patient Data: Account for Access-Disclosure IT Logs, Control, Meta-data, Audit Trails Congress imposed a demanding new data security regime on all healthcare organizations. Congress more or less expects the industry (hospit…

Follow me on Twitter

David Harlow πŸ’‰πŸ˜· Follow 43,216 17,538

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
5h 1639640904406544391

ICYMI> David Sand, CMO of ZeOmega, an #AI-infused engine for β€œpayviders” β€” Harlow on Healthcare https://healthblawg.com/2022/10/david-sand-zeomega.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  David Sand, CMO Twitter feed image.
Reply on Twitter 1639640904406544391 Retweet on Twitter 1639640904406544391 1 Like on Twitter 1639640904406544391 0 Twitter 1639640904406544391
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
5h 1639630885497769985

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @rwneilljr @chidambara09 @SarahClarkBDM #digitalhealth #ai

Image for twitter card

AI's growing impact on echocardiography

cardiovascularbusiness.com Cardiology has the second largest number of FDA-cleared AI algorithms, and many of them are ...

paper.li

Reply on Twitter 1639630885497769985 Retweet on Twitter 1639630885497769985 0 Like on Twitter 1639630885497769985 0 Twitter 1639630885497769985
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
12h 1639535190774276096

ICYMI> Stephen Sweriduk, CMO of Shields Health Care on the evolution of diagnostic imaging β€” Harlow on Healthcare https://healthblawg.com/2022/01/sweriduk-shields-healthcare.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Stephen Sweriduk, CMO Twitter feed image.
Reply on Twitter 1639535190774276096 Retweet on Twitter 1639535190774276096 1 Like on Twitter 1639535190774276096 0 Twitter 1639535190774276096
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]