Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database
    • IT Management

    Health IT Data Breaches: No Harm, No Foul

    By
    ROY MARK
    -
    September 16, 2009
    Share
    Facebook
    Twitter
    Linkedin

      Data breach notification rules for health entities covered by the Health Insurance Portability and Accountability Act take effect Sept. 23. Under the rules issued by the Department of Health and Human Services, (PDF) health care providers and health plans will be required to notify individuals of a breach of their unsecured protected health information. Maybe.
      For companies that secure health information using encryption or destruction, no breach notification is necessary. For those companies that don’t use encryption or destruction to protect the health data of individuals, notification isn’t necessary if the breach doesn’t rise to the harm standard established in the rules.
      According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses a “significant risk of financial, reputational or other harm to [an] individual.” Covered entities that suffer a data breach are required to perform a risk assessment to determine if the harm standard has been met. If the entity decides the harm to an individual is not significant, no notification is required.
      “For breach notification purposes, it no longer matters whether health care companies protect data via encryption so long as the companies decide that the breach poses no significant risk of harm to the patient,” stated a Sept. 11 blog post on the CDT (Center for Democracy and Technology) Website. “This decision is an internal process made by companies with a financial and reputational bias against notification.”
      The post, by CDT Staff Counsel Harley Geiger, adds, “Now, if a health care company consistently makes an error that it determines carries insignificant risk of harm to the patient, what incentive is there for the company to fix it? They never have to tell anyone unless, of course, harm actually occurs. But then it is too late.”
      Like retail before it, the health care industry has resisted data breach notifications and has latched upon harm standards to avoid blanket notifications. HHS said it included a harm standard in its rules so that patients wouldn’t receive unnecessary breach notices that could cause undue panic.
      “The concern over sending too many breach notifications to patients implies that the industry anticipates a high number of breaches. The best way for [the] industry to cut down the number of notifications would be to strengthen their privacy and security practices,” Geiger wrote. “Instead, HHS’ overbroad harm standard raises the risk that companies’ cost and convenience will override patients’ interests in transparency and in motivating health care companies to adopt strong privacy and security standards.”
      The rules are being implemented as part of the HITECH (Health Information Technology for Economic and Clinical Health) Act which, in turn, was part of the American Recovery and Reinvestment Act of 2009 passed earlier this year by Congress.
      CDT also complained that HHS gave “no indication whatsoever” that the harm standard was even under consideration in the original Request for Information that morphed into this rule. The rule takes effect on Sept. 23, although HHS won’t enforce it for 180 days. HHS also gives the public 60 days to comment on the rule, but the comments won’t be addressed until the first annual update to the rule in April 2010.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×