header title imageheader spacer image

HITECH PHI Breach Notification Rulings

by Gwen.Cantarera 25. August 2009 16:32

By: Eric Egnet, CIO

Hospitals and medical centers now have even more reason to be concerned about privacy and security as the new rulings, released last week, go into effect. Healthcare CIO’s need to heighten the attention they place on the protection of sensitive patient information as it pertains to access, storage, and transmission. This will need to be done in conjunction with their new focus on “meaningful use” which includes, CPOE and EHR upgrades and installations, clinical documentation, quality measures, and interoperability.

On Wednesday August 19th, HHS issued their “interim final” ruling that requires healthcare providers and health plans to alert individuals of unauthorized access to their unsecured electronic protected health information (PHI). This came just two days after a FTC rule was released which outlined similar requirements for personal health record (PHR) vendors, related PHR entities and third-party service providers.

Both of these interim rulings have been mandated by the very stringent privacy and security requirements outlined in the ARRA for HIPAA covered entities and business associates and certain non-HIPAA-covered entities. Try saying that fast five times!

The HHS and FTC worked collaboratively to make sure that the rules were in sync and written in such a way that they complimented one another. Requirements include:

  • All entities that are covered by either of these rulings have 60 days to notify any individuals whose information was accessed without the proper authorization.
  • If a large breach occurred, falling within the PHI rules, and 500 or more people involved, those entities must alert the press and media and either HHS or FTC, depending on which of the rulings they are subject to.
  • If the size of the breach involved less than 500 people, those entities must record and log the incident and then contact and submit the breach findings to either HHS or FTC at the end of the year.

These “interim final” regulations will be in effect for 30 days after publication in the Federal Register on August 24th.

The HHS “interim final” regulations are available at http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf.

The FTC “interim final” regulations are online at http://www.ftc.gov/os/2009/08/R911002hbn.pdf.


Read Eric's industry blog, InTheKnowCIO.


, , , ,

ARRA | EHR | HITECH | PHR

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (3)

Comments

September 26. 2009 09:49

travel nursing

I think there is need for this development so as to enhance patient security. The HHS and FTC have done a good job putting this together.

travel nursing United States

October 6. 2009 18:22

Amik

Great website!! Thanks for info!!!

Amik United States

November 12. 2009 03:53

Torrents Search

great news! thanks for sharing. hope many people will find it useful as I did. glad someone pays attention to such things

Torrents Search Canada

Add comment


(Will show your Gravatar icon)

  Country flag

biuquote
  • Comment
  • Preview
Loading



Powered by BlogEngine.NET 1.5.0.7
Theme by Mads Kristensen modified for VCS by Eric Barb

Poll

Did you watch the State of the Union
Show Results
Subscribe to our New
HITIME for HITECH Feed!

Archive

Key


ARRA - American Recovery and Reinvestemtn Act
CCHIT - Certification Commission for HIT
CMS - Centers for Medicare and Medicaid
HHS - Health and Human Services
HITECH - Healtcare Information Technology portion of ARRA
ONC - Office of the National Coordinaotr for Health Information Technology
PHR - Personal Health Record

Categories


Archive

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2010

Sign in