BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Health IT Data Breaches: No Harm, No Foul

From: security curmudgeon <jericho () attrition org>
Date: Thu, 17 Sep 2009 05:43:58 +0000 (UTC)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.eweek.com/c/a/Health-Care-IT/Health-IT-Data-Breaches-No-Harm-No-Foul-293398/

By Roy Mark
eWEEK.com
2009-09-16

Data breach notification rules for health entities covered by the Health 
Insurance Portability and Accountability Act take effect Sept. 23. Under 
the rules issued by the Department of Health and Human Services, (PDF) 
health care providers and health plans will be required to notify 
individuals of a breach of their unsecured protected health information. 
Maybe.

For companies that secure health information using encryption or 
destruction, no breach notification is necessary. For those companies that 
don't use encryption or destruction to protect the health data of 
individuals, notification isn't necessary if the breach doesn't rise to 
the harm standard established in the rules.

According to HHS' harm standard, the question is whether access, use or 
disclosure of the data poses a "significant risk of financial, 
reputational or other harm to [an] individual." Covered entities that 
suffer a data breach are required to perform a risk assessment to 
determine if the harm standard has been met. If the entity decides the 
harm to an individual is not significant, no notification is required.

"For breach notification purposes, it no longer matters whether health 
care companies protect data via encryption so long as the companies decide 
that the breach poses no significant risk of harm to the patient," stated 
a Sept. 11 blog post on the CDT (Center for Democracy and Technology) 
Website. "This decision is an internal process made by companies with a 
financial and reputational bias against notification."

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: