HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

New Personal Health Information (PHI) breach guidelines included in stimulus package

Under the American Recovery and Reinvestment Act of 2009 passed in February (otherwise known as the stimulus package), the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), must issue rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached. As a first step, the (FTC) has now issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach. This is a positive move towards building federal standards for Personal Health Information (PHI) breaches that at least match the same requirements given other important data such as credit card numbers.

The stimulus package also tries to close the current Health Insurance Portability and Accountability Act (HIPAA) notification 'loophole' by recognizing that there are now new entities (for example, third-party storage vendors) that collect consumers’ health information that are not covered by the current breach of data guidelines. Beginning September 16th,  “covered entities” under HIPAA will be required to give breach notifications, and “business associates” of HIPAA-covered entities will be required to report breaches of PHI to the covered entities. Until the HHS and FTC can issue new guidelines, the new HIPAA requirements should ensure that affected individuals from physicians to patients are notified within 60 days of discovery of a breach. This will apply to any organization that utilizes or maintains “unsecured protected health information.”

There is definitely a need for federal guidelines regarding PHI breaches. Currently (and until September when the new HIPAA requirements go into effect), only two states (California and Arkansas) require breach notifications for all concerned entities.  What exists now is a mishmash of existing state and federal regulations concerning PHI breaches that only serves to breed confusion.  And that’s not helped by organizations (third-party storage vendors, for example) who aren’t following simple standards of customer service when notifying either patients or physicians of PHI breaches because they don’t yet have to.  As we've seen with Wall Street, self-regulation is not always the best answer, especially when it comes to delivering bad news. Companies should be aware that any breach of PHI will soon require across the board notification from consumer to health care provider, and that lack of compliance can result in hefty fines. The stimulus package created four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are also effective immediately. As well, there are also new state guidelines enacted this year that contain hefty penalties for non-compliance. California guidelines adopted this year as part of SB 541 have penalties for violations including $25,000 per patient for unauthorized access, use, or disclosure of patients’ records, $17,500 for each subsequent occurrence of access to an affected patient’s records, and $100 per day of delayed reporting of a breach.  Any company that is involved with PHI would be well served to step up security efforts to avoid a breach now that the consequences are more severe, and to have a notification policy in place and ready to go in the unfortunate event of a breach.


Labels: compliance| hipaa| phi
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.