[ Tuesday, March 17, 2009 ]
More Stimulus Bill provisions: Data Breach reporting.
Data Breach Notification Requirements. Covered entities and business associates who suffer a “breach” of unsecured PHI must notify all affected individuals. There are several complicating factors here: the definition of “breach” is relatively specific, and excludes some unintentional or inadvertent disclosures; if the PHI was “secured” (again, a specific definition applies, but basically encrypted or otherwise made indecipherable) then no notice is required; the information to be contained in the breach notification is somewhat specific; and it may be difficult to determine exactly when a breach was “discovered,” thereby starting the clock on notification timelines. Furthermore, if a company suffers a data breach involving the unsecured PHI of 500 or more people, the company will have to notify not only the affected individuals, but the Department of Health and Human Services and “prominent media outlets” serving the area.
That there is the "shame" rule: if you don't work hard enough to protect the info and you lose data on 500 people, you've got to call the local media and report yourself to the local news. This one will definitely benefit when regulations are drafted outlining all of the specifics, and when the standards-setting organizations get their acts together. Of course, that all still depends on getting a Secretary of HHS in place. One has been named, but the administration has failed to deliver the confirmation packet to the Senate (probably waiting for her to pay up back taxes).
Jeff [5:24 PM]
Blogger: HIPAA Blog - Edit your Template