By Roy Mark
Data breach notification rules for health entities covered by the Health
Insurance Portability and Accountability Act take effect Sept. 23. Under
the rules issued by the Department of Health and Human Services, (PDF)
health care providers and health plans will be required to notify
individuals of a breach of their unsecured protected health information.
For companies that secure health information using encryption or
destruction, no breach notification is necessary. For those companies
that don't use encryption or destruction to protect the health data of
individuals, notification isn't necessary if the breach doesn't rise to
the harm standard established in the rules.
According to HHS' harm standard, the question is whether access, use or
disclosure of the data poses a "significant risk of financial,
reputational or other harm to [an] individual." Covered entities that
suffer a data breach are required to perform a risk assessment to
determine if the harm standard has been met. If the entity decides the
harm to an individual is not significant, no notification is required.
"For breach notification purposes, it no longer matters whether health
care companies protect data via encryption so long as the companies
decide that the breach poses no significant risk of harm to the
patient," stated a Sept. 11 blog post on the CDT (Center for Democracy
and Technology) Website. "This decision is an internal process made by
companies with a financial and reputational bias against notification."
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News