HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Rules for web-based health repository breach notifications announced

The Federal Trade Commission (FTC) has released the final rules concerning breach notifications for Personal Health Information (PHI) that were required under the American Recovery and Reinvestment Act of 2009 which was passed in February (otherwise known as the stimulus package). The Department of Health and Human Services (HHS) and the FTC were tasked with issuing rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information was breached. This closes a loophole in the Health Insurance Portability and Accountability Act (HIPAA) for web-based companies that gather health information. Until now, they had typically not been covered under HIPAA. The new rules go into effect 30 days after publication in the Federal Register. The FTC plans to begin enforcement 180 days after that.

 

 Some interesting items in the new rules:

 

 ·         Encrypted data is considered secure (hope it's strong).

 

 ·         The media must be notified if more than 500 individuals have had their information accessed.

 

 ·         Companies have up to 60 calendars days to provide notifications.

 

 ·         Law enforcement can delay notifications if it would impede an investigation or be a threat to national security.

 

 ·         If the contact information for 10 or more individuals is out of date, alternate notice may be given via a posting on the vendor web site or through the media. (10 is not a lot. It might be 'easier' to find those and do the notification on your web site…and then save the postage.) Read the rules here.

 


http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1365176,00.html 


 

Read the rules here.

 


http://www.ftc.gov/os/2009/08/R911002hbn.pdf


 

 

 


 

New Personal Health Information (PHI) breach guidelines included in stimulus package

Under the American Recovery and Reinvestment Act of 2009 passed in February (otherwise known as the stimulus package), the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), must issue rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached. As a first step, the (FTC) has now issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach. This is a positive move towards building federal standards for Personal Health Information (PHI) breaches that at least match the same requirements given other important data such as credit card numbers.


The stimulus package also tries to close the current Health Insurance Portability and Accountability Act (HIPAA) notification 'loophole' by recognizing that there are now new entities (for example, third-party storage vendors) that collect consumers’ health information that are not covered by the current breach of data guidelines. Beginning September 16th,  “covered entities” under HIPAA will be required to give breach notifications, and “business associates” of HIPAA-covered entities will be required to report breaches of PHI to the covered entities. Until the HHS and FTC can issue new guidelines, the new HIPAA requirements should ensure that affected individuals from physicians to patients are notified within 60 days of discovery of a breach. This will apply to any organization that utilizes or maintains “unsecured protected health information.”


There is definitely a need for federal guidelines regarding PHI breaches. Currently (and until September when the new HIPAA requirements go into effect), only two states (California and Arkansas) require breach notifications for all concerned entities.  What exists now is a mishmash of existing state and federal regulations concerning PHI breaches that only serves to breed confusion.  And that’s not helped by organizations (third-party storage vendors, for example) who aren’t following simple standards of customer service when notifying either patients or physicians of PHI breaches because they don’t yet have to.  As we've seen with Wall Street, self-regulation is not always the best answer, especially when it comes to delivering bad news. Companies should be aware that any breach of PHI will soon require across the board notification from consumer to health care provider, and that lack of compliance can result in hefty fines. The stimulus package created four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are also effective immediately. As well, there are also new state guidelines enacted this year that contain hefty penalties for non-compliance. California guidelines adopted this year as part of SB 541 have penalties for violations including $25,000 per patient for unauthorized access, use, or disclosure of patients’ records, $17,500 for each subsequent occurrence of access to an affected patient’s records, and $100 per day of delayed reporting of a breach.  Any company that is involved with PHI would be well served to step up security efforts to avoid a breach now that the consequences are more severe, and to have a notification policy in place and ready to go in the unfortunate event of a breach.


http://www.modernhealthcare.com/article/20090416/REG/304169969

Labels: compliance| hipaa| phi
Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation