HHS Issues a Breach Notification Rule

The Department of Health and Human Services (HHS) published its rule on mandatory breach notification requirements, reports Government Health IT. The rule applies to all entities covered by the Health Insurance Portability and Accountability Act (HIPAA). The notification requirement stems from a Congressional mandate in the American Recovery and Reinvestment Act, (ARRA). "These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information," said Robinsue Frohboese of the HHS Office for Civil Rights. Earlier this week, the FTC issued its rule on mandatory breach notification requirements for personal health records vendors.
For more on that rule here.

Attention All Keepers of Personal Data!

1. Do you own a business with employees?
2. Do you use personal information in sales transactions?
3. Do you keep personally identifiable information (PII), on your clients including students?
4. Do you share PII with any other business?
5. Does any other business have access to your PII database?

If you can answer yes to any of these questions ask yourself this. What are you doing to actively safeguard that information from loss or theft? Remember, it is your responsibility to protect that information from misuse or theft. No business (above) is exempt.

The federal government has issued guidelines for you to follow in order to be compliant with the standards set forth in several privacy laws.The Federal Trade Commission FTC , has oversight of all businesses apart from the banking and savings industries which have separate oversight. They have the authority to investigate breaches and to even prosecute those businesses whose security practices are lacking.

The answer to anyone who questions the need for securing this kind of information is very simple. There are roughly 9 to 10 million identity theft victims in the U.S. each year. The majority of those victims had their information compromised from a database and not from direct theft. When you and your business safeguards the information you keep on others you are protecting them. When someone else does the same they are protecting you. All of us leave a trail of data behind in the course of our lives. Every school we have ever attended, every home we have purchased, loan made, insurance claim, military service, in short everything we have ever done has left a record that needs to be protected from theft or misuse. Each one of us is a link in the chain of protection. When you and your business safeguards the information you keep on others you are protecting them. When someone else does the same they are protecting you.

Data Security Measures Deadline Extended

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has amended its data security regulations. In a media release yesterday, the OCABR announced that the rules will facilitate a risk-based approach to data security, which is expected to help the small-business community, in particular. In creating written security programs, businesses will be able to take into account their size, industry type and identity-theft risk, among other characteristics. The OCABR also modified the regulations to make them technology neutral. The new effective date is March 1, 2010. A public hearing on the changes will take place Tuesday, September 22.

The government has long been under pressure to create a federal standard for data security. Existing laws such as the FCRA and GLB Safety Act have set out guidelines for businesses that include risk analysis, written policy definitions, and employee training. However, apart from the Red Flags Rules [sec.114 FACTA] to date nothing definitive has been issued that delineates specifically what each business must do and what criteria they must follow to safeguard PII. This new Mass. law promises to provide much of that language to guide businesses in that State. It is my belief that when enacted this new legislation will become a model for similar federal legislation.