Welcome to Health Care POV | sign in | join
ADVANCE Perspective: HIM

HHS Releases Breach Notification Final Rule

Published August 20, 2009 9:41 AM by Cheryl McEvoy
Share
reddit Newsvine Del.icio.us Digg
Yahoo! Buzz LinkedIn StumbleUpon Google Bookmarks Mixx
The Department of Health and Human Services (HHS) has released a final rule on breach notification requirements for covered entities (CEs) and business associates (BAs). Published in the Federal Register, the rule dictates proper procedure for responding to a breach, including when notification is required, who to tell and how to dispense that information. The rule also reiterates and clarifies recommended methods of data encryption.

The announcement came 2 days after the Federal Trade Commission (FTC) released its breach notification final rule, which covers personal health record vendors and other non-HIPAA CEs. HHS consulted with FTC on requirements and asked the public for input through a request for information released earlier this year.

In the event of a breach, the CE must notify affected individuals promptly, the rule states. If the breach involves more than 500 people, the CE must also alert the HHS secretary and the media. Breaches involving fewer than 500 people must be reported to HHS on an annual basis.

HHS will maintain a list of CEs that experience breaches affecting more than 500 people, which will be posted on the agency's Web site.

BAs that identify a breach are required to notify the CE.

According to the rule, CEs need not report a breach if the information involved has been properly encrypted-in other words, if data was "rendered unusable, unreadable or indecipherable to unauthorized individuals." The theory seems to be that whoever gained access to the information wouldn't be able to read or use it, whether for malicious activity or otherwise, so affected individuals aren't put at risk. However, any data that had not been properly encrypted or destroyed is subject to the notification rules. A firewall, for example, is not an accepted method of encryption, so any CE relying solely on a firewall for protection would be required to notify individuals about a breach. 

To reduce the chance of a breach occurring, encryption keys should be held on a separate computer, HHS advised.

From a patient's perspective, this stipulation concerned me. If an unauthorized individual gains access to hospital or physician files, I want to know about it. Whether the information accessed is encrypted or not-heck, even if the hacker just perused a doctor's iTunes library-it still crosses that divide and may even build a bridge for more breaches to follow. One would hope privacy and security officers would tighten controls as soon as the fishy business hits their radar, but will they be so quick to jump when there are other HIPAA risks to monitor?

The rule also cuts CEs some slack regarding "unintentional" breaches. If an employee at a CE or BA or other authorized individual inadvertently accesses personal information, the event is not considered a "breach" and therefore notification is not required. Accidents happen-we're all human, after all-but could this "unintentional disclosure" exemption run the risk of being abused by employees? How easy is it to "accidentally" view private information, and could an employee pass off conniving activity with an "Oops?"

The rule goes into effect 30 days after the announcement. HHS is allowing 60 days for public comment, but let's get your feedback now. What do you think about the notification requirements? Are they too strict? Not tough enough? Do you see any loopholes?

posted by Cheryl McEvoy
tags: , , ,

2 comments
add a comment »

PingBack from http://www.emrandhipaa.com/emr-and-hipaa/2009/08/21/hipaa-breach-notification-final-rule-released-by-hhs/
August 21, 2009 2:39 PM

Senate Bill 541 and Assembly Bill 211, initiated by the California government in January, 2009, already make it very tough on release of medical records.  It is almost frightening to fax a patient's record to a physician's office, for continuing care, during the routine course of a day.  Obviously we must be very, very careful with PHI, but how many more laws do we need?  A valuable employee attempting to do his/her very best while handling hundreds of patient requests in a day can make an honest mistake.  Does anyone realize how many misfiled records one can come across in a day?  For instance, my EKG report could get caught up in someone else's medical record and six months later get mistakenly released to a requestor.  Let's not kid ourselves and act like misfiles do not happen.  They, in fact, happen daily.  Suddenly there has been a breach (unintentionally) and the person who copied or printed the record must get "written up", the Department of Public Health (in CA) has to be notified, along with the patient!  The patient now has grounds to sue the CE!!  Our new laws appear to be "good ideas gone to seed."  There has to be a better way to handle all these so-called breaches before CEs refuse to release medical records to anyone and patient care suffers!
Donna August 20, 2009 12:08 PM

leave a comment


To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the image, reload the page to generate a new one.

Captcha
Enter the security code below:
 

Search


About this Blog

Keep Me Updated