The administration on Wednesday announced safeguards intended to protect consumers from health information technology breaches, as the White House tries to move healthcare reform forward.
Health IT has been a focal point of the stimulus package and the president's larger healthcare plan -- a plan that is under attack by the press and the public.
The Health and Human Services Department issued new rules, mandated by the Recovery Act, that require providers and insurers to notify patients when their health information is breached. They also must alert the media and HHS secretary when a breach affects more than 500 people.
The Federal Trade Commission had a hand in the regulations and has issued its own notification guidelines for businesses that fall outside of HHS' jurisdiction, such as health IT vendors. HHS' notification rules only apply to healthcare groups covered by the 1996 Health Insurance Portability and Accountability Act.
"These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information," said Robinsue Frohboese, HHS acting director and principal deputy director of the HHS office for civil rights, in a press release.
The new HHS rules include an update to guidance on techniques for encrypting and destroying health information that render the content unreadable to unauthorized users. Industries that follow such procedures do not have to notify when information is breached.
COMMENTS
The HHS breach notification rule contains a giant loophole for health care companies.
Basically, if data on patients is lost or stolen, the rule allows a company to decide for itself whether the breach poses a 'significant risk' of financial, reputational or other harm to patients.
If the company determines there is no significant risk, then the company never has to tell the patient about the breach.
Keep in mind that the companies themselves have a financial and reputational incentive against notification.
The Center for Democracy & Technology wrote an article on how this new "harm standard" for breach notification undermines patient privacy and the transparency of health care entities.
That article can be found here: http://blog.cdt.org/2009/09/11/hhs%E2%80%99-new-harm-standard-for-breach-notification/
HLGCDT 09/21/09 11:18 am ET
What about the govt contractors who are now the prime offenders? Linda Joy Adams
Linda Joy Adams 09/01/09 03:31 pm ET