http://www.eweek.com/c/a/Health-Care-IT/Health-IT-Data-Breaches-No-Harm-No-Foul-293398/ By Roy Mark eWEEK.com 2009-09-16 Data breach notification rules for health entities covered by the Health Insurance Portability and Accountability Act take effect Sept. 23. Under the rules issued by the Department of Health and Human Services, (PDF) health care providers and health plans will be required to notify individuals of a breach of their unsecured protected health information. Maybe. For companies that secure health information using encryption or destruction, no breach notification is necessary. For those companies that don't use encryption or destruction to protect the health data of individuals, notification isn't necessary if the breach doesn't rise to the harm standard established in the rules. According to HHS' harm standard, the question is whether access, use or disclosure of the data poses a "significant risk of financial, reputational or other harm to [an] individual." Covered entities that suffer a data breach are required to perform a risk assessment to determine if the harm standard has been met. If the entity decides the harm to an individual is not significant, no notification is required. "For breach notification purposes, it no longer matters whether health care companies protect data via encryption so long as the companies decide that the breach poses no significant risk of harm to the patient," stated a Sept. 11 blog post on the CDT (Center for Democracy and Technology) Website. "This decision is an internal process made by companies with a financial and reputational bias against notification." [...] ________________________________________ Did a friend send you this? From now on, be the first to find out! Subscribe to InfoSec News http://www.infosecnews.orgReceived on Wed Sep 16 2009 - 22:29:17 PDT
This archive was generated by hypermail 2.2.0 : Wed Sep 16 2009 - 22:40:13 PDT