Thursday, September 17, 2009

Breach Notification Rule Effective Next Week

Breach Notification Rule Effective Next WeekThe new HIPAA breach notification rule takes effect next week, reports HR.blr.com. The rule requires entities covered by the Health Insurance Portability and Accountability Act to notify individuals in the event their personal health information is breached, the report states. Starting on September 23, any healthcare provider, health plan or other HIPAA-covered entity that experiences a breach must notify those affected "as soon as reasonably possible," unless the organization protects the information using encryption or destruction, in which case they need not notify. If the breach involves more than 500 individuals, the organization must also notify the Department of Health and Human Services and the media. Full Story

This constitutes a real milestone in stemming identity theft on a federal level. As this bill passes we will have the first leg of a national reporting policy for all personal data loss. No legislation is perfect. There is still a threshold test for notifying potential victims, and we will most likely always have a conflict between notifying victims and investigating breaches. This is however a good beginning. The remaining conflict of course is the timeliness of the notification. Once notified of a breach individuals should be empowered to provide protection for themselves before any damage is done. The best scenario is to have this in place prior to a breach so that the potential victim will have the early warning and restoration services of professional identity theft specialists.