Health IT Data Breaches: No Harm, No Foul

Health IT Data Breaches: No Harm, No Foul
Health IT Data Breaches: No Harm, No Foul 

By Roy Mark

Data breach notification rules for health entities covered by the Health 
Insurance Portability and Accountability Act take effect Sept. 23. Under 
the rules issued by the Department of Health and Human Services, (PDF) 
health care providers and health plans will be required to notify 
individuals of a breach of their unsecured protected health information. 

For companies that secure health information using encryption or 
destruction, no breach notification is necessary. For those companies 
that don't use encryption or destruction to protect the health data of 
individuals, notification isn't necessary if the breach doesn't rise to 
the harm standard established in the rules.

According to HHS' harm standard, the question is whether access, use or 
disclosure of the data poses a "significant risk of financial, 
reputational or other harm to [an] individual." Covered entities that 
suffer a data breach are required to perform a risk assessment to 
determine if the harm standard has been met. If the entity decides the 
harm to an individual is not significant, no notification is required.

"For breach notification purposes, it no longer matters whether health 
care companies protect data via encryption so long as the companies 
decide that the breach poses no significant risk of harm to the 
patient," stated a Sept. 11 blog post on the CDT (Center for Democracy 
and Technology) Website. "This decision is an internal process made by 
companies with a financial and reputational bias against notification."


Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods