Educause Security Discussion mailing list archives

Re: FTC Ruling on PHI Information

From: Allison Dolan <adolan () MIT EDU>
Date: Mon, 24 Aug 2009 07:52:40 -0400

The FTC rule  definitely includes entities like Google Health
Records, and other 'cloud' entities - if they have a breach, they
must now notify (there was no such requirement before).  If your
health care services host the application, then I think it was
already covered under HIPAA.  If, however, they were using a hosted
service then checking with your lawyer (or whoever your HIPAA coord
is) would be prudent - not only did they add 'web-based entities',
but the rules for "business associates" also changed.

Note:  This has been called the first national data breach
notification requirement.  AND it expands enforcement from just the
HHS dept, to include FTC and state/local gov.   They also added some
significant fines.

......Allison  Dolan (617-252-1461)



On Aug 21, 2009, at 4:42 PM, Martin Manjak wrote:

I saw this article in today's SANS Digest.

--FTC Rule Expands Health Data Breach Notification Responsibility
to Web-Based Entities
(August 18, 2009)
The US Federal Trade Commission has issued a final rule on health
care breach notification.  The rule will require web-based
businesses that store or manage health care information to notify
customers in the event of a data security breach.  Such entities
are often not bound by the requirements of the Health Insurance
Portability and Accountability Act (HIPAA); this rule addresses
that discrepancy.
http://www.darkreading.com/security/government/showArticle.jhtml?
articleID=219400484

According to the article on DarkReading:
"The rule applies to both vendors of personal health records which
provide online repositories that people can use to keep track of
their health information and entities that offer third-party
applications for personal health records."

It's the latter group that has me scratching my head. Does this
apply to software vendors that sell tools to health care providers
to enable them to interact with patients on-line?

I'm wondering what the implications are for college and university
health care services who contract with providers or purchase
software that allows students to manage some of their health care
on-line.

This is where a lawyer would come in handy.
 --
Martin Manjak
Information Security Officer
University at Albany
CISSP, GIAC GSEC-G, GCIH, GCWN

Current thread:

FTC Ruling on PHI Information Martin Manjak (Aug 21)
- <Possible follow-ups>
- Re: FTC Ruling on PHI Information Allison Dolan (Aug 24)
- Re: FTC Ruling on PHI Information Allison Dolan (Aug 24)