Category Archives: Other Regulations

Other federal, international, state and local regulations

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

via HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information.

FTC: Organizations not bound by HIPAA must report breaches – Security

In a 4-0 ruling Monday, the FTC approved a rule that will require Web based businesses that deal with personal health information, even if they are not bound by HIPAA laws, to report security breaches. The Health Breach Notification Rule was created and put in place because Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009.

via FTC: Organizations not bound by HIPAA must report breaches – Security.

Mass. Makes Changes to ID Theft Regulations – Network World

State regulators in Massachusetts have made changes to a set of identity theft regulations.

The changes, according to a release from the state’s Office of Consumer Affairs and Business Regulation, maintain protections and also reinforce flexibility in compliance by small businesses and were made in response to concerns among small businesses who were concerned the proposed regulations would be too costly to put in place. The updated regulations will take effect March 1, 2010.

via Mass. Makes Changes to ID Theft Regulations – Network World.

FTC’s PHR Breach Rule = Confusion

The Federal Trade Commission has released a final rule requiring vendors of personal health records–and entities that offer third-party PHRs–to notify consumers when the security of their PHR data is breached. Despite efforts of the FTC and the Department of Health and Human Services to harmonize separate rules governing notification of breaches, the FTC rule takes confusion to a new level and will require considerable study.

via FTC’s PHR Breach Rule = Confusion.

New proposed regulations in the US #Compliance #GRC

New legislation continues to pass at a fast clip in the US under the new administration, some of the most revealing actions taken so far include:

more at The Forrester Blog For Security & Risk Professionals.

2009 U.S. Information and Communications Enhancement Act

A bill introduced in the Senate on Tuesday would strengthen the requirements in a much maligned security law, asking agencies to actively monitor and fix security holes in computer systems and requiring the White House to provide tougher enforcement.

The bill, the 2009 U.S. Information and Communications Enhancement Act, also would require the Commerce Department to establish standards for securing all government information systems, including those used by the Defense Department and intelligence agencies to support national security.

via Nextgov – Bill would toughen security requirements over current law.

Doctors prepare for ID theft rules

The “red flags” rules — which require creditors to implement a formal policy for detecting and preventing identity theft — were not on Dr. Slonaker’s radar. It wasn’t until the FTC last fall delayed the original Nov. 1, 2008, compliance date to May 1 that he became aware the rules also applied to the health care industry.

via AMNews: May 18, 2009. Doctors prepare for ID theft rules … American Medical News.

FTC Proposes Breach Notification Rule for PHR Vendors | Thompson Publishing Group’s Compliance Information Center

The Federal Trade Commission proposed a rule detailing the steps vendors of personal health records (PHRs) and related entities would have to take when notifying individuals following a breach of unsecured identifiable health information (74 Fed. Reg. 17914).

The American Recovery and Reinvestment Act of 2009 (ARRA) directed the FTC to issue such a rule requiring PHR vendors as well as PHR-related entities and third-party service providers to notify consumers of breaches of unsecured data.

The April 20 proposed rule sets forth specific requirements governing the standard for what triggers the notice, as well as the timing, method and content of notice. The FTC also clarified that if there is no reasonable basis to believe that information can be used to identify an individual, the information is not “PHR identifiable health information,” and a breach notification is not required. For example, if a breach involves information that has been de-identified, the information falls outside the scope of the rule, according to the Federal Register notice.

Public comments will be accepted until June 1. The FTC requested comment on specific issues, such as the extent to which PHR vendors may be covered entities or business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and whether there is any overlap between HIPAA and this proposed rule.

The FTC estimated the cost of complying with the rule as $7,582 per breach, assuming most notifications can be made via e-mail.

via FTC Proposes Breach Notification Rule for PHR Vendors | Thompson Publishing Group’s Compliance Information Center.

HHS offers guidance on protecting health information – Modern Healthcare

HHS issued guidance on protecting personally identifiable healthcare information by encrypting or destroying it so that it is rendered “unusable, unreadable or indecipherable to unauthorized individuals.” The 20-page document was the work of a joint effort by HHS, its Office of the National Coordinator for Health Information Technology and Office for Civil Rights, and the CMS.

The guidance was required by the stimulus package and is linked to a pair of breach-notification regulations required under the legislation. One is to be issued by HHS, and the other by the Federal Trade Commission. Previously, the FTC issued an interim rule and a request for comments covering breach notification by personal health-record vendors and other entities not covered by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.

HHS also requests public comments on the proposed rulemaking due by May 21

via HHS offers guidance on protecting health information – Modern Healthcare.