Re: FTC Ruling on PHI Information

[Allison Dolan <adolan () MIT EDU>]

RE: PHI - both the FTC and HHS are issuing regulations - I ran across  
this seminar offering re: HHS activity; the comments re: encryption  
tie in with the other recent thread...


Allison F. Dolan
Program Director, Personally Identifiable Information
Massachusetts Institute of Technology
77 Massachusetts Ave  NE49-3021
Cambridge MA 02139-4307
Phone: (617) 252-1461
http://mit.edu/infoprotect

Health Providers, Other HIPAA-Covered Entites Must Comply With New  
Data Breach Notification Rules Beginning September 24; Register to  
Participate In September 10th Briefing on New Rules In Person or Via  
Telephone

August 20, 2009

Health care providers, payers, clearinghouses and their business  
associates must begin complying with new data breach notification  
mandates by September 24, 2009.
The U.S. Department of Health and Human Services (HHS) yesterday  
(August 19, 2009) issued “breach notification” regulations requiring  
health care providers, health plans and other covered entities  
(Covered Entities) under the personal health information privacy and  
security rules of the Health Insurance Portability & Accountability   
(HIPAA) to notify affected individuals following a “breach” of  
“unsecured” protected health information. Scheduled for publication  
in the Federal Register on August 24, 2009, the new breach  
notification regulations are part of a series of new rules that  
implement new electronic personal health information data security  
and data breach notification requirements for Covered Entities added  
to HIPAA under the Health Information Technology for Economic and  
Clinical Health (HITECH) Act signed into law on February 17, 2009 as  
part of American Recovery and Reinvestment Act of 2009 (ARRA).   
Covered entities must begin complying with the new rules no later  
than September 24, 2009.
Curran Tomko Tarski, LLP Health Practice leader Cynthia Marcotte  
Stamer will conduct a briefing on these new protected health  
information data security and data breach rules on Thursday,  
September 10, 2009 from Noon to 1:30 P.M. Central Time. For a  
registration fee of $45.00, registrants will have the option to  
participate via teleconference or in person at the offices of Curran  
Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201.   
For more information, e-mail here.
 HITECH Act Data Breach and Unsecured PHI Rules
The new data breach notification rules are part of a series of recent  
HIPAA enacted under the HITECH Act to strengthen the federal rules  
requiring HIPAA covered entities to safeguard electronic and certain  
other protected health information. Enhanced data security and data  
breach rules added as part of these HITECH Act amendments obligate   
covered entities and business associates to provide certain  
notifications following a breach of “unsecured”  “protected health  
information” within the meaning of HIPAA, as amended.  “Unsecured  
protected health information” is defined as protected health  
information that is not secured through the use of a technology or  
methodology specified by the HHS Secretary.
The new data breach regulations implement the HITECH Act requirement  
that Covered Entities and their business associates notify affected  
individuals, the Secretary of HHS, and in some cases, the media, of a  
breach and the form, manner, and timing of that notification.  For  
purposes of the HITECH Act, electronic protected health information  
is considered “unsecured” unless the covered entity has satisfied  
certain minimum standards for the protection of that data established  
pursuant to the HITECH Act.  HHS and the Federal Trade Commission  
previously issued certain initial guidance concerning the HITECH Act  
standards for determining when electronic personal health information  
qualifies as secure.  To help further define when electronic health  
information is treated as “unsecured” and therefore subject to the  
breach notification requirements, the data breach rules also update  
and clarify the previously issued existing HHS guidance specifying  
encryption and destruction as the technologies and methodologies that  
render protected health information unusable, unreadable, or  
indecipherable to unauthorized individuals published earlier this  
year by HHS to for purposes of determining when protected health  
information will be considered “unsecured” for purposes of the HITECH  
Act data breach rules.  Entities subject to the HHS and FTC  
regulations that secure health information as specified by the  
guidance through encryption or destruction are relieved from having  
to notify in the event of a breach of such information.
The HHS interim final regulations are effective September 24, 2009,  
which is the date 30 days after the date they will be published on  
the Federal Register and include a 60-day public comment period. To  
review the interim final data breach regulations, see here.  To  
review the HITECH Act Breach Notification Guidance and Request for  
Information, see here.