What is your e-mail address?
My e-mail address is:

Do you have a password?
Forgot your password? Click here
close


    Law requires health data breach notifications

    The recently enacted economic stimulus law includes new requirements for how companies must notify people of breaches to their protected health information. Some experts say the rules could lead to federal breach notification requirements for other types of data.

    Health data experts are still studying provisions in the $787 billion spending law that will expand what health care-related businesses are required to do when they discover unsecured, protected medical data has been breached.

    The law gave the Health and Human Services Department 60 days to issue guidance on the types of technologies and methodologies that should be used to make protected health information secure -- unusable, unreadable or indecipherable to unauthorized people.

    Under the new law if a health care provider, health plan administrator or health care clearing house covered under the Health Insurance Portability and Accountability Act (HIPAA) has a breach to the personal medical data it holds which is not secured in the way HHS recommends, that organization will have to notify within 60 days each person whose data is believed to have been compromised. Companies that work with those entities that handle the medical data will also have to notify the company they work for if a breach is believed to have occurred on their watch.

    “It is a big change in terms of the scope of the laws…and it now establishes a federal standard so regardless of what state you do business in, if you do business in the health industry, you are likely to be subject to these breach requirements,” said Kathryn Roe, an attorney focused on health care with the firm Neal, Gerber and Eisenberg in Chicago.

    Federal lawmakers have made several recent attempts to pass national data notification requirements for data breaches of all kinds, but thus far those efforts have stalled and states have promulgated their own requirements. Without a national rule for data breach notifications, more than 40 states have developed their own data breach notification requirements.

    Lisa Sotto, head of the privacy and information management practice at law firm of Hunton and Williams and an expert on privacy and data security, said the current situation is complex because data breaches rarely affect residents of just one state and laws often differ.

    “I think what could happen here is this could set the bar and become the standard of data compromises of other types of sensitive personal data,” Sotto said.

    The new law, only applicable to protected medical data, requires that individuals affected by the breach are notified in writing and that local news media are alerted of the breach in cases where more than 500 people are believed to have been affected. The provisions also require the companies to notify HHS of any breach and to do so immediately if it involved 500 people or more. HHS will post on its Web site a list of the HIPAA-covered entities involved in the breach if the problem reaches the threshold of 500 people having been involved.

    Pam Dixon, executive director of the public research group World Privacy Form, said the law was also significant because it includes requirements for organizations not covered under HIPAA. She added that the law was an acknowledgment that certain kinds of data need more protection.

    Regardless of how they are made, breach notifications, to the extent possible, will have to include:

    • A description of what happened, including when the breach occurred and when it was discovered.
    • A description of the types of unsecured protected health information that was breached.
    • The steps individuals should take to protect themselves against potential harm from the breach.
    • A description of what the covered entity involved is doing to investigate the breach, mitigate losses and prevent future breaches.

    HHS also was given one year to submit to Congress what will be the first of an annual report on medical data breaches that have occurred and what was done in response to them. The department also was given 180 days to disseminate interim final regulations to enact the law’s requirements.

    Reader comments

    Sat, Feb 28, 2009 Deborah C. Peel, MD Austin, TX

    The reason we have breach notice for health data is the actions of a single US Senator, Olympia Snowe. The language that would have passed without her principled opposition to HITECH would have required only "willful" breaches to be reported. How many of those do you think there are? Her amendment was strongly supported by consumers and patients and adamantly opposed by the healthcare and HIT industries. Patient Privacy Rights, the ACLU, and the bipartisan Coalition for Patient Privacy worked hard to press for her amendment to HITECH. Veterans have to be told of breaches of their health data thanks to the Privacy Act, but the rest of us would never have had the right of breach notice without Senator Snowe. Deborah C. Peel, MD Founder and Chair, Patient Privacy Rights www.patientprivacyrights.org Austin, TX

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Your Name:(optional)
    Your Email:(optional)
    Your Location:(optional)
    Comment:
    Please type the letters/numbers you see above

    eSeminar

    • Technology success through the stimulus Karen Jackson

      FCW will present Karen Jackson, deputy secretary of technology for the Commonwealth of Virginia, at 11 a.m. Wed, Dec. 9, in an eSeminar where she will discuss technology acquisition through the stimulus. Read more

    Federal Computer Week eNewsletters

    • Subscribe to Newsletters Subscribe

      Federal Computer Week's eNewsletters deliver the latest policy and management news to your inbox.

    Current issue of FCW