InTheKnowCIO

The future of Healthcare IT is upon us

HITECH PHI Breach Notification Rulings

leave a comment »

Hospitals and medical centers now have even more reason to be concerned about privacy and security as new rulings released last week go into effect. Healthcare CIO’s need to heighten the attention they place on the protection of sensitive patient information as it pertains to access, storage and transmission. This will need to be done in conjunction with their new focus on “meaningful use” which includes, CPOE and EMR upgrades and installations, clinical documentation, quality measures and interoperability.

On Wednesday August 19th, the Department of Health and Human Services (HHS) issued their “interim final” ruling that requires healthcare providers and health plans to alert individuals of unauthorized access to their unsecured electronic protected health information (PHI). This came just two days after a Federal Trade Commission (FTC) rule was released which outlined similar requirements for personal health record (PHR) vendors, related PHR entities and third-party service providers.

Both of these interim rulings have been mandated by the very stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities. Try saying that fast five times!

The HHS and FTC worked collaborated to make sure that the rules were in sync and written in such a way that they complimented one another. All entities that are covered by either of these rulings have within 60 days to notify any individuals whose information was accessed without the proper authorization. If a large breach occurred, that falls within the PHI rules, and 500 or more people involved, then those entities must alert the press and media and then either HHS or FTC, depending on which of the rulings they are subject to. If the size of the breach involved less than 500 people, those entities must record and log of the incident and then contact and submit the breach findings to either HHS or FTC at the end of the year. These “interim final” regulations will be in effective for 30 days after publication in the Federal Register on August 24th.

The HHS “interim final” regulations are available at http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf.

The FTC “interim final” regulations are online at http://www.ftc.gov/os/2009/08/R911002hbn.pdf.

Advertisements

Written by intheknowcio

August 23, 2009 at 7:50 pm

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: