Posts Tagged ‘13402’

Breach notification goes into effect on September 23, 2009

Wednesday, September 2nd, 2009

The new breach notification guidelines go into effect on September 23rd, 2009. Even though breach notification goes into effect on 9/23/09, the Interim Rule states that civil penalties will not be imposed until February 18th, 2010. The government is aware of the ambiguity and clearly states that it has discretion on imposing sanctions for failure to provide notification in case of a breach notification for breaches occurring before 2/18/10.

..

During the 180 period between 8/2009 and 2/2010 covered entities have the perfect opportunity to review the data stored on their IT systems. The Interim Rule is concerned specifically with Data in Motion, Data in Use, Data at Rest, and Data Disposed. Experior can help determine the best plan of action to implement encryption in your IT systems to protect your organization from breach notification requirements.



Tags: , , ,
Posted in ARRA, Encyption, HIPAA, Rulings, Section 13402 | No Comments »

Long term costs for a breach of just 499 records could be as high as $100,798

Saturday, August 29th, 2009

According a study performed by The Ponemon institute, which is also quoted by the Department of Health and Human Services in the Interim Final Ruling on Breach Notification, the total cost of a data breach is an average of $202 per record (of which an $152 pertains to indirect cost including abnormal turnover or churn of existing and future customers).  A breach of just 499 records could cost $100,798 over the long term. The same report states that health care and financial services are the two industries experiencing the highest average rate of churn. It should be noted that, according to the same study, lost or stolen laptops/mobile devices account for 35% of all data breaches.

..

Laptop and mobile device encryption technology is readily available.  Implementing encryption in other vulnerable areas such as file shares, removable storage, and even e-mail greatly reduces the potential for invoking your breach notification plan. By reducing the availability of unsecured protected health information (PHI) in your IT systems you can greatly reduce the chances of having to notify individuals in case of a breach.

Tags: , , ,
Posted in Encyption | No Comments »

HHS Ruling on Encryption – ARRA/HITECH ACT subsection 13402

Monday, August 24th, 2009

On Thursday, August 20th, 2009, the U.S. Department of Health and Human Services (HHS) issued the Interim Final Rule on Breach Notification.

An important part the interim final rule is the decision that encryption is the only acceptable technology to make protected health information (essentially, patient records) “unusable, unreadable, or indecipherable to unauthorized individuals”. The preamble to the rule explains that even though other methods (such as access control) can continue to be used, if a breach occurs and the protected health information is disclosed to unauthorized individuals a breach notification is required.

Breach notifications are essentially categorized as “under 500″ and “over 500″ records. If a breach occurred to under 500 records then covered entities must maintain a log of the breach and notify the patients. If a breach over 500 records has occurred then not only patients need to be notified but also major media outlet and HHS. In addition, a hotline must be established so that people can call and obtain more information about the breach (notification procedures are specified in the HITECH Act, Section 13402). HHS can issue fines and attorneys general of each state are empowered to pursue these types of breaches on a criminal level.

The government is clearly serious about patient record privacy to encourage covered entities to move paper records to electronic records as part of its overall healthcare reform efforts.

Tags: , ,
Posted in ARRA, Rulings, Section 13402 | No Comments »