Security Insights: HITECH Name-And-Shame Goes Up A Gear
Feb 25, 2010 – By Simon Hunt
Not content with naming-and-shaming companies who break the HIPAA/HITECH
health regulations through the normal press, The U.S. Department of Health
and Human Services is now
reporting companies who lose control of more than 500 people’s
records on their Web site.
A duty to do this comes via section
13402(e)(4) of the HITECH act:
“4) Posting on HHS Public Website.—The Secretary shall make
available to the public on the Internet website of the Department of Health
and Human Services a list that identifies each covered entity involved in a
breach described in subsection (a) in which the unsecured protected health
information of more than 500 individuals is acquired or disclosed.”
For those not in the know – HITECH is U.S act which enforces some duty
of care on people’s health information. “Covered Entities”
like Health Plan providers, Care Providers (hospitals, doctors etc) need to
put safeguards in place to ensure that our individual health information is
not seen or accessible by unauthorized people. You can find out about HITECH
on their excellent consumer
web site.
Section (e) of HITECH is one of high interest, it deals with exactly how a
company has to report a breach of security regarding personal health
information.
The list is already around 34 entries long, interestingly
with “Private Practice” of Torrance, CA having the dubious honor
of 5 separate entries – all apparently related to the same-day theft of
desktop computers (which must have been unencrypted, or they would not have
needed to disclose).
I hate to make predictions, but HITECH is probably the model the U.S Federal
data protection and privacy act will follow, meaning, if it comes true, any
company losing control of our personal information will be publically
announced in a central forum. No more searching the press for notifications
that our identities might be out in the wild.
One final interesting thing about HITECH, which is fairly unique amongst data
protection regulation, is its definition of what a “Breach”
really is, and thus, what kind of activity initiates a disclosure of loss.
I’ll leave you with this interesting excerpt:
“1) Breach.—
(A) In General.—The term ‘‘breach’’ means the
unauthorized acquisition, access, use, or disclosure of protected health
information which compromises the security or privacy of such information,
except where an unauthorized person to whom such information is disclosed
would not reasonably have been able to retain such information.
(B) Exceptions.—The term ‘‘breach’’ does not
include—
(i) any unintentional acquisition, access, or use of protected health
information by an employee or individual acting under the authority of a
covered entity or business associate if—
(I) such acquisition, access, or use was made in good faith and within the
course and scope of the employment or other professional relationship of such
employee or individual, respectively, with the covered entity or business
associate; and
(II) such information is not further acquired, accessed, used, or disclosed
by any person; or
(ii) any inadvertent disclosure from an individual who is otherwise
authorized to access protected health information at a facility operated by a
covered entity or business associate to another similarly situated individual
at same facility; and
(iii) any such information received as a result of such disclosure is not
further acquired, accessed, used, or disclosed without authorization by any
person.”
Courtesy McAfee.
» Send this article to a friend...
» Comments? Tell us what you think...
» More Network & Information Security articles...
Search SecurityInnovator
|
