As discussed in prior posts, healthcare organizations will be required to comply with new, strict breach notification provisions laid out in the HITECH Act which was passed as part of the Stimulus Bill earlier this year by Congress. Because not only HIPAA covered entities will be affected by this, but also their business associates as well as other organizations that maintain health records such as Google Health, both the Department of Health and Human Services, as well as the Federal Trade Commission, have recently issued rules that describe in detail how organizations must comply with the law.

Tanya L. Forsheit, a prominent privacy and security attorney with InfoSecCompliance LLC, is presenting a webinar on September 9th to help organizations learn what the FTC and HHS rules mean for them, how to identify compliance strategies and avoid costly fines and discuss best practices for avoiding data security breaches. A brief bio on Ms. Forsheit follows.

Ms. Forsheit is a certified as an information privacy professional by the International Association of Privacy Professionals (IAPP) and works with clients to address legal requirements and best practices for protection of customer and employee information. Ms. Forsheit’s law practice is based in Los Angeles, California. Prior to joining InfoSecCompliance, she was the Co-Chair of Proskauer Rose LLP’s Privacy and Data Security practice group, where she launched that firm’s Privacy Law Blog in 2007. In 2009, she was named one of the Los Angeles Daily Journal’s Top 100 women litigators in California

A recent article in the Wall Street Journal titled “New Epidemic Fears: Hackers” highlights the dark side of the movement towards putting  our personal medical and healthcare records online.

There is $29 billion in the Stimulus Bill that is targeted towards hospitals and other healthcare providers for the implementation of electronic healthcare record systems. We are encouraged that as patients, we will derive benefits in our healthcare from this trend due to more rapid access to accurate health and prescription information by healthcare professionals.  It is remarkable how little health information is stored in electronic (vs. paper) form and even less is shared among healthcare providers.

This article, however, also points out that healthcare organizations appear to be increasingly vulnerable to exposing our personal health information as measured by the incidence of “reported” data breach incidents.

“In recent years, the number of reported data breaches at healthcare organizations has soared, despite laws requiring the groups to protect patient information. In May, a hacker stole more than 500,000 patient records from a state-run database that tracks drug prescriptions in Virginia — and then demanded a ransom to return the information.”

Given that healthcare providers will now be “encouraged” by the HITECH Act to more rigorously report even the smallest of breach incidents, these statistics are likely to soar in coming years. This is a wake up call for all of us that organizations anxious to take advantage of Stimulus money for EHR systems must not do so without first taking a hard look at their data breach security vulnerabilities and risks.