Simon Says – Musings of a Technology CTO

Not content with naming-and-shaming companies who break the HIPAA/Hitech health regulations through the normal press, The U.S. Department of Health and Human Services is now reporting companies who lose control of more than 500 people’s records on their site.

A duty to do this comes via section 13402(e)(4) of the HITECH act .

4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

For those not in the know – HITECH is U.S act which enforces some duty of care on people’s health information. “Covered Entities” like Health Plan providers, Care Providers (hospitals, doctors etc) need to put safeguards in place to ensure that our individual health information is not seen or accessible by unauthorized people. You can find out about HITECH on their excellent consumer web site.

Section (e) of HITECH is one of high interest, it deals with exactly how a company has to report a breach of security regarding personal health information.

The list is already around 34 companies long, interestingly with “Private Practice” of Torrance, CA having the dubious honor of 5 separate entries – all apparently related to the same-day theft of desktop computers (which must have been unencrypted, or they would not have needed to disclose).

I hate to make predictions, but HITECH is probably the model the U.S Federal data protection and privacy act will follow, meaning, if it comes true, any company losing control of our personal information will be publically announced in a central forum. No more searching the press for notifications that our identities might be out in the wild.

One final interesting thing about HITECH, which is fairly unique amongst data protection regulation, is its definition of what a “Breach” really is, and thus, what kind of activity initiates a disclosure of loss. I’ll leave you with this interesting excerpt:

1) Breach.—

(A) In General.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

(B) Exceptions.—The term ‘‘breach’’ does not include—

(i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if—

(I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and

(II) such information is not further acquired, accessed, used, or disclosed by any person; or

(ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and

(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.