|
|
|
Health IT Data Breaches: No Harm, No Foul
By: Roy Mark
2009-09-16
Article Rating:  / 9
There are 14 user comments on this Health Care IT story.
Under new rules developed by the Department of Health and Human Services, HIPAA-covered health care providers, health plans and other health entities must notify patients of data breaches involving their health information. Unless, of course, they decide not to.Data breach notification rules for health entities covered by the Health
Insurance Portability and Accountability Act take effect Sept. 23. Under the rules issued by the Department of Health and Human
Services, (PDF) health care providers and health plans will be required to
notify individuals of a breach of their unsecured protected health information.
Maybe.
For companies that secure health information using encryption or destruction,
no breach notification is necessary. For those companies that don't use
encryption or destruction to protect the health data of individuals,
notification isn't necessary if the breach doesn't rise to the harm standard
established in the rules.
According to HHS' harm standard, the
question is whether access, use or disclosure of the data poses a "significant
risk of financial, reputational or other harm to [an] individual." Covered
entities that suffer a data breach are required to perform a risk assessment to
determine if the harm standard has been met. If the entity decides the harm to
an individual is not significant, no notification is required.
"For breach notification purposes, it no longer matters whether health
care companies protect data via encryption so long as the companies decide that
the breach poses no significant risk of harm to the patient," stated a
Sept. 11 blog post on the CDT (Center for Democracy and
Technology) Website. "This decision is an internal process made by
companies with a financial and reputational bias against notification."
The post, by CDT Staff Counsel Harley Geiger, adds, "Now, if a health care
company consistently makes an error that it determines carries insignificant
risk of harm to the patient, what incentive is there for the company to fix it?
They never have to tell anyone unless, of course, harm actually occurs. But
then it is too late."
Like retail before it, the health care industry has resisted data breach
notifications and has latched upon harm standards to avoid blanket
notifications. HHS said it included a harm standard in its rules so that patients
wouldn't receive unnecessary breach notices that could cause undue panic.
"The concern over sending too many breach notifications to patients
implies that the industry anticipates a high number of breaches. The best way
for [the] industry to cut down the number of notifications would be to
strengthen their privacy and security practices," Geiger wrote. "Instead,
HHS' overbroad harm standard raises the risk that companies' cost and
convenience will override patients' interests in transparency and in motivating
health care companies to adopt strong privacy and security standards."
The rules are being implemented as part of the HITECH (Health Information
Technology for Economic and Clinical Health) Act which, in turn, was part of
the American Recovery and Reinvestment Act of 2009 passed earlier this year by
Congress.
CDT also complained that HHS gave "no indication whatsoever" that the
harm standard was even under consideration in the original Request for
Information that morphed into this rule. The rule takes effect on Sept. 23,
although HHS won't enforce it for 180 days. HHS also gives the public 60 days
to comment on the rule, but the comments won't be addressed until the first
annual update to the rule in April 2010.
| | Reader Comments: Health IT Data Breaches: No Harm, No Foul | | >>> Post your comment now!
| | Costly Harm AssessmentsIf a server is compromised or a back-up tape is stolen, assessing the potential harm is straightforward compared to doing likewise for when malware... Posted At: 10-27-09
By: Eirik Iverson | | | | | | Actually...It wasn't Congress that messed up here, it was the Department of Health and Human Services. The legislation is actually pretty good. The "harm... Posted At: 09-25-09
By: Anonymous | | | | | | Not sloppy, not scare reportingYou should do some of your own homework. I don't think you read the blog post to which the article links very closely. You should also read the HHS... Posted At: 09-25-09
By: Anonymous | | | | | | ShamefulWonder how our Senators and Representatives are keeping their health records secure? All of the BS coming from Washington assures us our info will be... Posted At: 09-23-09
By: An Old Fella | | | | | | The Info BELONGS to the PatientExcellent point! All too often large organizations like governments, insurance companies and HMOs forget that the customer (citizen) is the one that... Posted At: 09-23-09
By: BobboMax | | | | | | Yes, this was a sloppy article.I do agree with Healthcare CSO, I work with compliance issues everyday for an organization that is "only" a Business Associate. We have a Breach... Posted At: 09-23-09
By: Business Associate | | | | | | Where have you been?This was in the works LONG before Obama. Think Clinton era, with the modifications you're seeing now originating in the Bush administration. Look... Posted At: 09-18-09
By: Healthcare CSO | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������x}ks6*�Q3{L=RJ64ԭҡDHbLZ#'ΗSOx��%13;NƖ�ht7�F;�?��~$vtô'��Ùc�<:rIC"I{C(7
Zͨ��:AjFɐ�,o�R}�F]̉]͌S7S�!���و|N�შ��b�H��j��%SjN~U3g�l dčى9>1�f��E63N'��6I���GV3�"%28�K3?&?*B��4NHPߢر}3{Pe3��g;1m 1+Xq,�(?cFu37?y'Cj�p�_C��G��`i�rF@Sѡ*"U�{A%h���j&�9�2&-�#wJ3q'�"�S#&5@hle2IRi�3܋��H;@oȱ���X,.R-͌i�:k�t[kbc{K
3}]1H
ό,?Z� Q���+�Z�ŹYs(2�1�,TYN[~C~64/VIͳV��,a�T4"2/]鬙ȏwzUyuy4�[g�'g�:�R��ڟ-lOk*~kups�vO{uH0�u=�kh2�`=r8LsrP�?4gOWM2᭫��H|;FAq !}W=�nr2C2qe�w"��aM�<�~xA�dƩ�$|��S;CkW]ӬZTxkq
4}G_x0N�D0滋3f�M�U3,e��g0UA�M)��41tG��v!fB�M�o���z@�@�Z\~V )Uٛ�"K�;Cx��r!DKI
�88�{��F�NR�.9t�npq��]7KDi.,�s5-waˢ�4w�{R;o�
һ^0*>c]�f%",Q�ƹ:n:jb%2�RI�^T*r[ hS�2e8l����iI7DA�>�+��Kݺ~L�=��W�ԃ9*`��I[�E�6z�&>��P6=ol2��w�9;-L&w&�0`DנwCPb1LG��TE=���P/@Xt�u�'#}Q(�=�9���nZдc@\j,FЇ9K�w2Z}c%n��إ��.B$(ZȻ���!A�lv
��[w�X�V0(VFJrGBj!���6O�s@PGRۙ8�Px(fB>ab -d[b�|�l��eV&vϏhbB�|#'d�Xr`Y
�\`+|�i)b
lԨ˶ViHi P}c3 =]�GVK*Z��ҥ#_VTyu&aS3mrH�:u1��@w�O8Â]z�xlLXh�'l:4Ed�)Ln>4EW,==Т-`"[g�8V(f�ᠺ�4C�}�52{B[`r�&e|GC8&T�>z/��C��p�7+ u&���r�G|媞5��jx0?S\�LdFfko�m�c�ښLp�uIY(�iJ ��5��
L�qG](.E�SgFl�3]s;tOV#/OZbxh6���$/gcP(�oWu�BH[�$��)ފy�˾0p
WZD"b �j7�{pέ�e�6K�h�/0W0��Ϳ|����1�ؤmT
jrNԽ)ȔeF�:�N4R,>ڹe3����%P��$wCJ$l%I�W9{́Hy5
ΆłSՈqO9&�_G5�k�^��˥�Wر,>2躢G�ıst�1�4��
n¹9z1|��Jj�0"B(Vyٙ{�8h^;(2��r]ilu�0q`( Z3:sV*L3$!WwwNQ1O0�kM8v�كEh*O<={3"u�n�_xHE&@|Z�h��
և��Bs
SL@ΧrEX¸
�~1��~1UŠP=N�G��z-X]�L,1��ӞÊ?DNEk]W9*#L[h�ho?]Hʥr.W.EpC+jtWK�qVJ.옣8
�j�oNGɁ3��S�tM?;�
LZ7�ϝR*�zCG�>s��y >{�V�?eE�>yL��{H�˰"Uyo�=JZY?H`�6ʼnG =q?@.+2G¹5�`d��Qе�a=E��C?%��H�*�7h6І{e�gjڳu;O+$�{Ђ#?�iP�Y�f0`%5-*�?
E
�LkQ�Cŕ9��
#ꏙ3j
0�UY[�પ*ʾ_YV+^�t�m(5#S��#2>qg��rh)h
f5�
0};`[�9r��p�+,s��Jb+�ʹV(EcߙUzvujYd^̳3irS�lU
֕9�geyM?؛ZKmbͳi
4�t8ߙW/TY̘gw\)07(p���&S�?G "-۠�|e�2Ltn1S�c%[4x[2|'@�d��k�93��NQ&grf>+�RL>lv'gZx��G[Oow�_`nϮI�0TbVRP�Xe V^A��3F˾37G/\]y4WOg�*�z)c��ʂ�y/(SY-q'&F.R�,9r�fbF6}l;/��i�ɕ",߸/̉ggosX唲Z<�Y5�&Q�rMu�E
|�ŏh(ermfُC~=բA�緒qSgKZPb<*�rmn�,��:
�-6" "��l[
e|פX���OeF3�q1�8@X=x}`6
у�>gWՄθvr�`0O�#[&qYy�Vum4tX�"5H�VV5XI0ieI˕sZ~����#2aӃ�U^�UJ&R�&�SMS�\s�<�$ɝ?5�p_@7�|*|1yM˃v@lKR1sWGc���3��"�pDF.eѓy9�O*�,/�J)W)p�/g$
�,�$��DB�s9~[!6E�z!,8{Jeo�[
xr~e, ,"0�aZ��p̰Lc
�YōyAd@88&o�;W������=
ПBQ`n�о(&s,$\�auv�h��@qMѿ8&9Cw/yj:?�LG8^pk[c {B.�0E ^.��Ҹ]`��~Z?I�
թoc0.[,j2�m&A)��p$��o>{1�Ջ붻 i.R��^{%{0�&To_�'d�0|
sn֯ÏO�M1��0ѭx$Ǣ8cF;fW쐶Cվt�k,�S�VXs!�j,49Fπa6(F'�Q?
?�ּIb�}J_cNfo4��~�P6=8,lrh縍vRtG�Ndp
j[=h㿜Q'$�AFy/p�(A-H6ؼ�N9&S0�rJ`"�:�Q9;cv�?G(��cl9���J�|,f8B�OR�:.�K�ց39Y)N xr< ǡAGJ脒ay�e5. eL5NR�MLC]�OC/��$�;��B2Tzw �ga�>m3�j:n�_")=��@u�\e `�q�oD XY�+=yPbb%ŵh0%W&B|c'�xR�=Na0t�O�3�)WEVd�tӨjRtwf�uDZ(K:��Np�w؎#^@(N�Vpk57x'�;_Y.t0o
��_�lzϜGIM2�1B? P}4%�l�?kg@�tĢ�FS|��`'2,|e�%U\s"X*1 3Xu
ZpFl+2Èǹµ|pfic�?%>kRԿ�5LN0�c,H~ CwKHT9~ÿ
w낧 �� �;s&�to�;Vm,c�s/÷y~�P:|{�ݖy�P1fng�lLg�I"ɪպ%w7=o\8%'+Txt1�ς�Q/n�f��(fޮ�yeТ1�}dw薺ooo=إ
&Õ~�=*^�GL�w.%|DzDpp&{Z=d�QJ=�w,qu@jjaIbT�=/-K`TT�y^�An����"uFm�"fc;EE[o溫ώ\xn1DŽ?7�#
`!3Ȑ$�+Q9M�gH&rd�[ c�*�v<�.��ݝL �M A�;$J��<�N5>[4�
R�UCf��M�k5ì§u,'i�ƿ_LWc'[T>�9b�)Me"z/ãhZo18�dɩsN�H�"13�1?��kƎ�b~Dp�H-�Q=.5LO(2t^a�ޣ�Hfi/�li)m��$: `�Q$�P|z9=�YЪu7"v@̦큘HzIYpI05H}�S�!i`�\��P(�`ޘ6�0*)�=d[(PRaGx1o0C����`�b$%<�%XIua�ߥk ��<�#����G �R{;rV8+:�8Ѹ (6Gg&}IQ]�5fK)��X֯=otEE�a>@�XA)��"& �3��5�q$h,A�XK�_�44P�7�u0��b�Pw0[kjQD5'"̮͜['�pX`uįF�>�a�_{KE��f69����q<��]{Jf�c�2/E�agu>ֶT�R�i��3�v�e\�q�Hmeμ1C-b{Lع�Tx
#aH�Q�d�4
"?;^wm-N�0ܙú5�p�_͂B/߸(ķzaG(" f'ߘz�)Bל_@M`/d;19絙�#y{�wi�`�W۱:>W�/
sU]}>�dUokocϲ.9wt%k۴RBRWlp,�Nüv3#_=�?���FR�
IV$��dN95B*Θhf֖4FPEAVX�+o�^�x<9L- ϣ%>?<:tCL%ħ�;4(PTgX|�}�/Ev�OqEyd^�̴e-'�Id�'ݴX,hELVÑAu}�6 �94C0��p9�C`wt{Qy)ƀT,��l?��Q�X2H{�m��/)qy�w[+]��m.91�͜E��t�1��^r�OP/yK.i^`Td�ޅd��W!\�i���"�rTIoA�$ΩPc�mr U@+Ě��j|Ka58[j�[�b�dk;Xycy[a�n[;Xifyl�+n-浻�xB(ͪNX`h:�z�є-*�1;,!!gOd��?E�Z�l�KLµ+A$�8Ieuץ�:�̹%�D0s"DzG{�eM)i弚�\OD5ƭ9�w��Օ>.,^kOuy>깽煂ϕ7uzqX*l E�L�ƞ�d�O�}TK{�ev�Jr;-凖"��@�r�|jQ_ow�rA�v(FgJ�Gc4X
%]���{i/��~IK�6&K�?-�iЙ
�HuWkB!�� 6A�Pt�;
�|1~b:d�-�ʒ2;DW�lfۂb4JK$¨`�DMa�Bu1m:�':�1qT ; J}�9Xz6ىۓj10�*1Xb
aZ*F�.#ZJi�x�O>QKP4�0nB!1
\�"Н�B>ͪM;oP}sY?e=ta
�'2tsع[!VV�ߞĶru�Yc�_�D�_�M%i�OS:�+�>�z�C��.�NorQtj$G�p�
No [�B
'̋XHst<Ȑ»r�6ȝ4�d.81��q�y5�Ņ
XH�JW7�Ul�Nh$�|b #2uFf&$�T
)
D`NjM�#�Poen�zxX�2d=:�&2�;`#w#a�(4�l<�D
�G�ۅuE)�dr9�?wCY�M�;�C�{!�&
;�>�B(!�i��?ߎ͛_/{JEaFN$u2D�t0\��3�n*%���@9
d�U� �/�nrl6b-i`IkH���J��z>q1
-;ۈ$�O LD:5L{d-،�s(~4�60'�(LfwD>v[WLQXj��*��{3wإ4͒ �}{>�_$R�KDt(�(�� �I�YP[,(�!�z)%@7Q�I8��W8.,�03O������F�"LD [qįOqWyΆ4� 3�f:sj9��:r�tT-)ʑ�"|{�C`���c2s���C´vp�"_o�B�<౸�Pl�<'�6ZGLw1�SsH�OP����b�JY-)I`R�|:Pr|�+R0�b'ύ�x�oR�fQXF*_GiL$�R&.
��?f$-C쌆#xɺ9ҏIQ��k۷��3U�9^:9n6Iiuou/iݽ#N�܂/{sm|:^}:o]6[Lta&hDf[_d�L{GY��i2;eAq(g�C\h�^E���ᵓ∾(ah,.6)tI-�Uve=DM@�+:놁[_)į7�^OKVTk!h?m?gg:^sv>3yԢ#_ЦׯJ�c>T3%N�M�p���4ħfy'f�n
N)�I)�M)guzJy�ʻ)
AR~�gρ>)y�O�(]6�ZR�RCL2�oK/SR ?m.o�v
|j@;)�N�|o'�O'>�'�N
v?;)2zˏP1�/R�K)@y'�2e|/A~.S�2e7�.n~+�R�N��>_?l.�!>BǴrǔ}�}L
ߤ�ޤ
M
:IJ"g+\8=B��2�~)�A__�yJ+%yJy�SYQ�~v¯EX^й"Я"Eߧ�w2~v2Am]u�u
CFWX=m /dmth8F햒n7q_l Σ�_zi� kId�=&x�E'W48<1X>t�nmV鄘q�2#s"qGc_%Ü�D x�FUD��4��Kqǜ.e�b�A\Xh#]vϬ0���(W.�v�8ov-~7e��Ax�`�?7�7U.wpyk;ُkw�յC5AfПb
9 /'8+s8�<�4;p٥!Tl<-!�6La3[� ÈC/�s
H8tu�=T,q#6��{U0Aח�ڋY5>Y_U̯zl�KÙ�#~zW@jeR��Er҇91"<]SKg
cBD�W�it�؉�&3�O7�#]]%b(�WK[-
b��tGD��K1w�Q5YUdL*�{jERȗ�&���K<#
��.]3^%�&
-ˡN�!�3pC�&܊5F�Gk(��x.xmTE*|�_LmRR@,Ty�gM~
oG2�d �S�E�%
j�+Dl`@bJPKLg
L[`*ɤyUkcU�4��bn4�1lk/�['�}'NFL�,E�~�f&g�u��c�Aޡ=G�'M0f�%`�Kf\Ы�HGǓ\"�9�oي^^'�΅*K �X6-07+��y1%?�}�&l�ylmb�ӿ+݂w2$<;Y$G�|����ZU�:�h 85�3]^M�̇^RK;.|gn蹈 p|�1�a>`Z})y�[pd-1DV\�Udk,4]�XZo
�|J1�1-�G
㣝A{{L�kd97k�&2x['05:�%�^'��3Vfwˉ�Q35v�-3�
�PxX:���N϶3[;�tkQݏ;�3ixR
��~2m
c2!`I�!d��b���r�2���)�Lʌq?IhBv]#6
�R�Ň%?1m^<9�_��s{03�Iݣs�MYZem\$�a�c{ M�>�XzBB$%0qn�O�ݰP<��>x�("
2H�2s�{B�|%m{jP2!-]t<�ƔѠ��bAo[A��<$^SPuXO-::6Zd��;cxToL�"m��1(�}p�5��J(KESXn�A�}FV垓gg_7�b
Gy&"3@tgY(VxHD�Z�yo()�y+6�+ه�7�0UVA;JM{�X�|@ăHv!$s�U���p�`#�,�|o,E7ge��S%��%-^Π'bہ;y�nwe�&PL=ʆ3RZFAwyH,݈��cAQ6+yJ>?��T|-5OL��0zNZ}�{&>XhD-O!ɿ\4fR*4$NSP��=ZO(�o݊�[\��<>b�ЀΣYp祈m,�m*>|l��zYAΘlM%b]M�>_�vw[=/Dz_�Ba2\�T��x
k�og3gz��׳;���<�v?�/M�ek[$�vį-��yJn�S �O�3�й?-}bW/���e{�:�^�,�{��QAb�zC�8uF삢u��.nDlaa�^n1n,D�@�c�ٝ�{�;p3z�m�6���QmQo#ຨN�40(�|_|ky#�¾"�yX�@cbs,&Il}CX�<���^|6Ǹ�0pcf~��;8KY'}d.-"�$(zIW���A0��&|Eȣd`C�v�_�<8=��c�L��;acXJ
�Y2!&;�O80�Ux|�-h\�};}xX���˙3d)O#xV*E�BzU.��Z�^cdKX$֬�LE"�)ԛc&(g/�0~�
��u&Sǂ!w�a+ecPZXVc.G�{ׄ �izxf�X��C`*#F"��Z*bJ�؉ZQpR&�79vI��}�&뇎܌aBa�r���L%�����^�hl�'/bA-DT��/>%hw2b5��#ʧ=I�~�q��v0,H!�KNš�|]\� k?X�y/;c�RI>Rm��v"8yv�k��1�ba'*i_�u�,�-}tKOg~lHAE�e鑢%!t�$��!ջ7�xO`(�}\}l4�nF_1�>�?sӨZQ+łI#{ob[E1�um*aRQN� v.b(6dvlS24K�_jj�JlTɱ|Y#|Y7N"�]d[hp
b7F�;a�1Բv�w&-��
|
Health Care IT 
