The rules, developed in accordance with the Fair and Accurate Credit Transactions Act of 2003 (FACTA), require financial institutions and other organizations classified as “creditors” to develop programs to identify, detect and respond to indications of identity theft. A bill passed this week would amend FACTA and exclude health care, accounting and legal practices with 20 or fewer employees from having to comply with the regulations, set to be enforced starting next month.
The U.S. federal government’s IT security spending will jump from $7.9 million to $11.7 billion in 2014 thanks to tightening federal security regulations, a 300 percent jump in attacks on feds’ networks and systems during the past five years, and the Obama administration’s emphasis on security, according to new data from research firm Input.
The American Health Information Management Association (AHIMA) is looking to bridge what it sees as a yawning gap in health privacy protections with a seven-point bill of rights it hopes will push the healthcare industry to a “major paradigm shift” in patient privacy practices.
There are many entities that operate outside of the Health Insurance Portability and Accountability Act (HIPAA), AHIMA said, and there is a wide variance of regulations imposed by the states.
via In the News.
Have you ever heard of a federal agency in charge of enforcing a set of regulations that is partly funded by the penalties it imposes on violators?
The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
State regulators in Massachusetts have made changes to a set of identity theft regulations.
The changes, according to a release from the state’s Office of Consumer Affairs and Business Regulation, maintain protections and also reinforce flexibility in compliance by small businesses and were made in response to concerns among small businesses who were concerned the proposed regulations would be too costly to put in place. The updated regulations will take effect March 1, 2010.
Just days before perpetrators executed one of the broadest denial of service attacks against federal-interest IT systems, the Government Accountability Office was on the Hill presenting its recommendations for reforming FISMA; including plans to enhance and improve testing, policy, communications, reporting and auditing.
With IT security resources so heavily invested in policy, audits and compliance reporting, where is the room for real innovation and progress?
New legislation continues to pass at a fast clip in the US under the new administration, some of the most revealing actions taken so far include:
- May 20, 2009 – President Obama signed the Fraud Enforcement and Recovery Act of 2009.
- June 12, 2009 – United States Congressman Gary Peters introduced his Shareholder Empowerment Act to the House.
- June 17, 2009 – President Obama outlined plans for more sweeping reform of financial regulations that would aim to consolidate supervision over all firms that pose a risk to the financial system as a whole.
Several nationally recognized healthcare experts have joined forces to create HIPAA.com, a single-source resource site where visitors will find access to HIPAA regulations, American Recovery and Reinvestment Act (ARRA) updates, and practical guidance on what to do to meet new regulations.
HHS issued guidance on protecting personally identifiable healthcare information by encrypting or destroying it so that it is rendered “unusable, unreadable or indecipherable to unauthorized individuals.” The 20-page document was the work of a joint effort by HHS, its Office of the National Coordinator for Health Information Technology and Office for Civil Rights, and the CMS.
The guidance was required by the stimulus package and is linked to a pair of breach-notification regulations required under the legislation. One is to be issued by HHS, and the other by the Federal Trade Commission. Previously, the FTC issued an interim rule and a request for comments covering breach notification by personal health-record vendors and other entities not covered by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
HHS also requests public comments on the proposed rulemaking due by May 21