The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
In a 4-0 ruling Monday, the FTC approved a rule that will require Web based businesses that deal with personal health information, even if they are not bound by HIPAA laws, to report security breaches. The Health Breach Notification Rule was created and put in place because Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009.
State regulators in Massachusetts have made changes to a set of identity theft regulations.
The changes, according to a release from the state’s Office of Consumer Affairs and Business Regulation, maintain protections and also reinforce flexibility in compliance by small businesses and were made in response to concerns among small businesses who were concerned the proposed regulations would be too costly to put in place. The updated regulations will take effect March 1, 2010.
The Federal Trade Commission has released a final rule requiring vendors of personal health records–and entities that offer third-party PHRs–to notify consumers when the security of their PHR data is breached. Despite efforts of the FTC and the Department of Health and Human Services to harmonize separate rules governing notification of breaches, the FTC rule takes confusion to a new level and will require considerable study.
The Federal Trade Commission announced a third delay, from August 1, 2009, to November 1, 2009, for compliance with the identity theft prevention red flags rule. The delay is for another three months. Compliance originally was scheduled for November 1, 2008, then delayed the first time until May 1, 2009.
New legislation continues to pass at a fast clip in the US under the new administration, some of the most revealing actions taken so far include:
- May 20, 2009 – President Obama signed the Fraud Enforcement and Recovery Act of 2009.
- June 12, 2009 – United States Congressman Gary Peters introduced his Shareholder Empowerment Act to the House.
- June 17, 2009 – President Obama outlined plans for more sweeping reform of financial regulations that would aim to consolidate supervision over all firms that pose a risk to the financial system as a whole.
A bill introduced in the Senate on Tuesday would strengthen the requirements in a much maligned security law, asking agencies to actively monitor and fix security holes in computer systems and requiring the White House to provide tougher enforcement.
The bill, the 2009 U.S. Information and Communications Enhancement Act, also would require the Commerce Department to establish standards for securing all government information systems, including those used by the Defense Department and intelligence agencies to support national security.
The “red flags” rules — which require creditors to implement a formal policy for detecting and preventing identity theft — were not on Dr. Slonaker’s radar. It wasn’t until the FTC last fall delayed the original Nov. 1, 2008, compliance date to May 1 that he became aware the rules also applied to the health care industry.
The Federal Trade Commission proposed a rule detailing the steps vendors of personal health records (PHRs) and related entities would have to take when notifying individuals following a breach of unsecured identifiable health information (74 Fed. Reg. 17914).
The American Recovery and Reinvestment Act of 2009 (ARRA) directed the FTC to issue such a rule requiring PHR vendors as well as PHR-related entities and third-party service providers to notify consumers of breaches of unsecured data.
The April 20 proposed rule sets forth specific requirements governing the standard for what triggers the notice, as well as the timing, method and content of notice. The FTC also clarified that if there is no reasonable basis to believe that information can be used to identify an individual, the information is not “PHR identifiable health information,” and a breach notification is not required. For example, if a breach involves information that has been de-identified, the information falls outside the scope of the rule, according to the Federal Register notice.
Public comments will be accepted until June 1. The FTC requested comment on specific issues, such as the extent to which PHR vendors may be covered entities or business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and whether there is any overlap between HIPAA and this proposed rule.
The FTC estimated the cost of complying with the rule as $7,582 per breach, assuming most notifications can be made via e-mail.
HHS issued guidance on protecting personally identifiable healthcare information by encrypting or destroying it so that it is rendered “unusable, unreadable or indecipherable to unauthorized individuals.” The 20-page document was the work of a joint effort by HHS, its Office of the National Coordinator for Health Information Technology and Office for Civil Rights, and the CMS.
The guidance was required by the stimulus package and is linked to a pair of breach-notification regulations required under the legislation. One is to be issued by HHS, and the other by the Federal Trade Commission. Previously, the FTC issued an interim rule and a request for comments covering breach notification by personal health-record vendors and other entities not covered by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
HHS also requests public comments on the proposed rulemaking due by May 21