from HHS.gov - Breach Notification for Unsecured Protected Health Information

[Faith Mcgrath <faith.mcgrath () YALE EDU>]

Two days after the FTC final rule HHS released the 'Interim final rule
for Breach Notification for Unsecured Protected Health Information'.
This is related to the HiTech provision (Health Information Technology
for Economic and Clinical Health Act ) of the ARRA - American Recovery
and Reinvestment Act of 2009 -- and effects EDUs with HIPAA covered
components.

http://www.hhs.gov/news/press/2009pres/08/20090819f.html
http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf
[FR Doc. 2009-20169 Filed 08/19/2009 at 4:15 pm; Publication Date:
08/24/2009]

--
Faith McGrath, Compliance Officer
Yale University ITS - Information Security
faith.mcgrath () yale edu
security () yale edu || security.yale.edu


-------- Original Message --------
Subject:        [SECURITY] FTC Ruling on PHI Information
Date:   Fri, 21 Aug 2009 16:42:48 -0400
From:   Martin Manjak <mm376 () ALBANY EDU>
Reply-To:       The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU



I saw this article in today's SANS Digest.

--FTC Rule Expands Health Data Breach Notification Responsibility to
Web-Based Entities
(August 18, 2009)
The US Federal Trade Commission has issued a final rule on health care
breach notification.  The rule will require web-based businesses that
store or manage health care information to notify customers in the event
of a data security breach.  Such entities are often not bound by the
requirements of the Health Insurance Portability and Accountability Act
(HIPAA); this rule addresses that discrepancy.
http://www.darkreading.com/security/government/showArticle.jhtml?articleID=219400484

According to the article on DarkReading:
"The rule applies to both vendors of personal health records which
provide online repositories that people can use to keep track of their
health information and entities that offer third-party applications for
personal health records."

It's the latter group that has me scratching my head. Does this apply to
software vendors that sell tools to health care providers to enable them
to interact with patients on-line?

I'm wondering what the implications are for college and university
health care services who contract with providers or purchase software
that allows students to manage some of their health care on-line.

This is where a lawyer would come in handy.

--
Martin Manjak
Information Security Officer
University at Albany
CISSP, GIAC GSEC-G, GCIH, GCWN




--
Faith McGrath, Compliance Officer
Yale University ITS - Information Security
faith.mcgrath () yale edu
voice: 203.737.4087 telefax: 203.436.5342
PGP public key: http://keys.yale.edu/ || ldap://keys.yale.edu
security () yale edu || security.yale.edu

Save a tree - please consider the environment before printing this email.

Please be aware that email communication can be intercepted in
transmission or misdirected. Please consider communicating any sensitive
information by telephone, fax or mail. The information contained in this
message may be privileged and confidential. If you are NOT the intended
recipient, please notify the sender immediately and destroy this
message. If you wish to confirm the content of this message and/or the
identity of the sender please contact me at the phone number given above.