Educause Security Discussion mailing list archives
Re: FTC Ruling on PHI Information
From: Allison Dolan <adolan () MIT EDU>
Date: Mon, 24 Aug 2009 07:52:40 -0400
The FTC rule definitely includes entities like Google Health Records, and other 'cloud' entities - if they have a breach, they must now notify (there was no such requirement before). If your health care services host the application, then I think it was already covered under HIPAA. If, however, they were using a hosted service then checking with your lawyer (or whoever your HIPAA coord is) would be prudent - not only did they add 'web-based entities', but the rules for "business associates" also changed. Note: This has been called the first national data breach notification requirement. AND it expands enforcement from just the HHS dept, to include FTC and state/local gov. They also added some significant fines. ......Allison Dolan (617-252-1461) On Aug 21, 2009, at 4:42 PM, Martin Manjak wrote:
I saw this article in today's SANS Digest. --FTC Rule Expands Health Data Breach Notification Responsibility to Web-Based Entities (August 18, 2009) The US Federal Trade Commission has issued a final rule on health care breach notification. The rule will require web-based businesses that store or manage health care information to notify customers in the event of a data security breach. Such entities are often not bound by the requirements of the Health Insurance Portability and Accountability Act (HIPAA); this rule addresses that discrepancy. http://www.darkreading.com/security/government/showArticle.jhtml? articleID=219400484 According to the article on DarkReading: "The rule applies to both vendors of personal health records which provide online repositories that people can use to keep track of their health information and entities that offer third-party applications for personal health records." It's the latter group that has me scratching my head. Does this apply to software vendors that sell tools to health care providers to enable them to interact with patients on-line? I'm wondering what the implications are for college and university health care services who contract with providers or purchase software that allows students to manage some of their health care on-line. This is where a lawyer would come in handy. -- Martin Manjak Information Security Officer University at Albany CISSP, GIAC GSEC-G, GCIH, GCWN
Current thread:
- FTC Ruling on PHI Information Martin Manjak (Aug 21)
- <Possible follow-ups>
- Re: FTC Ruling on PHI Information Allison Dolan (Aug 24)
- Re: FTC Ruling on PHI Information Allison Dolan (Aug 24)