Educause Security Discussion mailing list archives
from HHS.gov - Breach Notification for Unsecured Protected Health Information
From: Faith Mcgrath <faith.mcgrath () YALE EDU>
Date: Fri, 21 Aug 2009 16:59:34 -0400
Two days after the FTC final rule HHS released the 'Interim final rule for Breach Notification for Unsecured Protected Health Information'. This is related to the HiTech provision (Health Information Technology for Economic and Clinical Health Act ) of the ARRA - American Recovery and Reinvestment Act of 2009 -- and effects EDUs with HIPAA covered components. http://www.hhs.gov/news/press/2009pres/08/20090819f.html http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf [FR Doc. 2009-20169 Filed 08/19/2009 at 4:15 pm; Publication Date: 08/24/2009] -- Faith McGrath, Compliance Officer Yale University ITS - Information Security faith.mcgrath () yale edu security () yale edu || security.yale.edu -------- Original Message -------- Subject: [SECURITY] FTC Ruling on PHI Information Date: Fri, 21 Aug 2009 16:42:48 -0400 From: Martin Manjak <mm376 () ALBANY EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU I saw this article in today's SANS Digest. --FTC Rule Expands Health Data Breach Notification Responsibility to Web-Based Entities (August 18, 2009) The US Federal Trade Commission has issued a final rule on health care breach notification. The rule will require web-based businesses that store or manage health care information to notify customers in the event of a data security breach. Such entities are often not bound by the requirements of the Health Insurance Portability and Accountability Act (HIPAA); this rule addresses that discrepancy. http://www.darkreading.com/security/government/showArticle.jhtml?articleID=219400484 According to the article on DarkReading: "The rule applies to both vendors of personal health records which provide online repositories that people can use to keep track of their health information and entities that offer third-party applications for personal health records." It's the latter group that has me scratching my head. Does this apply to software vendors that sell tools to health care providers to enable them to interact with patients on-line? I'm wondering what the implications are for college and university health care services who contract with providers or purchase software that allows students to manage some of their health care on-line. This is where a lawyer would come in handy. -- Martin Manjak Information Security Officer University at Albany CISSP, GIAC GSEC-G, GCIH, GCWN -- Faith McGrath, Compliance Officer Yale University ITS - Information Security faith.mcgrath () yale edu voice: 203.737.4087 telefax: 203.436.5342 PGP public key: http://keys.yale.edu/ || ldap://keys.yale.edu security () yale edu || security.yale.edu Save a tree - please consider the environment before printing this email. Please be aware that email communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately and destroy this message. If you wish to confirm the content of this message and/or the identity of the sender please contact me at the phone number given above.
Current thread:
- from HHS.gov - Breach Notification for Unsecured Protected Health Information Faith Mcgrath (Aug 21)