Starting September 23, 2009, healthcare organizations covered by HIPAA and the HITECH Act will be required, in the case of data breach incidents where personal health information (PHI) is improperly exposed, to notify both the individuals affected by the breach as well as the federal government, who will post this information publicly.

The data breach notification provision was an important element of the HITECH Act which is the first federal legislation, in this case targeted at healthcare organiations, that specifies what constitutes as data breach and what notification is required for such incidents. In this case, “breach” is defined as the “unauthorized acquisition, access, use or disclosure of protected health information (PHI).”

An interesting controversy has recently surfaced in the way the Office of Health and Human Services has “interpreted” the HITECH Act breach notification provisions. The Interim Final Rule issued by HHS on August 24, 2009 has specified that a data breach incident of PHI only requires notification if the breach represents a “signficant risk of financial, reputational or other harm to the individual whose PHI has been compromised.”

In the making of this Rule, many in the industry believe that HHS has transcended congressional intent, by adding a “harm threshold” that is to be self-assessed by the organization that has caused the data breach incident.

A recent article in Computerworld titled “HHS guts health-care breach notification law, groups warn” illustrates this disconnect. It quotes Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights as saying:

“This harm requirement actually violates Congress’ intent in the stimulus bill. This is essentially an industry rewrite of the law. Given the way the law is worded, health-care organizations will have little incentive to own up to a breach involving protected health care data. This is totally for the protection of the industry. It eliminates the consumer protection that Congress intended to be built into it.” She added that her organization will be part of a “giant response” to the proposed change by national consumer protection and privacy organizations.

While the over-notification of individuals for totally benign incidents is not a positive thing, because of the level of concern and anguish that can accompany such situations, what HHS has done in terms of setting a harm threshold allowing self-assessed determination as to whether a data breach incident shoudl be reported seems to give healthcare providers more of a  “get out of jail free card” when incidents occur than what was intended by those who wrote the law.

Independent of how this controvery resolves itself, there is no question that healthcare organizations, starting on September 23rd, must carry out a “risk assessment” whenever an incident occurs that could possibly breach the security and privacy of PHI that they hold. It would be advisable that such organizations have clear policies and processes for such events, and document the analysis and conclusions clearly.

As discussed in prior posts, healthcare organizations will be required to comply with new, strict breach notification provisions laid out in the HITECH Act which was passed as part of the Stimulus Bill earlier this year by Congress. Because not only HIPAA covered entities will be affected by this, but also their business associates as well as other organizations that maintain health records such as Google Health, both the Department of Health and Human Services, as well as the Federal Trade Commission, have recently issued rules that describe in detail how organizations must comply with the law.

Tanya L. Forsheit, a prominent privacy and security attorney with InfoSecCompliance LLC, is presenting a webinar on September 9th to help organizations learn what the FTC and HHS rules mean for them, how to identify compliance strategies and avoid costly fines and discuss best practices for avoiding data security breaches. A brief bio on Ms. Forsheit follows.

Ms. Forsheit is a certified as an information privacy professional by the International Association of Privacy Professionals (IAPP) and works with clients to address legal requirements and best practices for protection of customer and employee information. Ms. Forsheit’s law practice is based in Los Angeles, California. Prior to joining InfoSecCompliance, she was the Co-Chair of Proskauer Rose LLP’s Privacy and Data Security practice group, where she launched that firm’s Privacy Law Blog in 2007. In 2009, she was named one of the Los Angeles Daily Journal’s Top 100 women litigators in California

Rebecca got the call, I got the call- almost everyone I know got the call. It starts with “Our records indicate that the factory warranty on your vehicle has expired or may be expiring soon….” Others reported auto dialers contacting them about lowering interest rates, or other services. The third or fourth time Rebecca got the call she asked me if she should hang on the line to try to talk to them, or press 0 for an operator. I explained that until more is known about the phone call, pressing any options or speaking to a representative may make the situation worse. According to the National Consumers League’s National Fraud Information Center, by responding to this obvious scam phone call by pressing a number, you are letting the dialer know that there is a live person on the other end of that phone. You could even be providing the proper tones or voice commands for them to record and use later for fraudulent authorizations. Diligently, we hung up every time. Likely, we got caught up in telemarketing call that has the Better Business Bureau and Federal Trade Commission flooded with complaints. Recently, it grabbed the attention of a politician in D.C..  The New York Times reports, “Mr [Charles E]. Schumer, Democrat of New York, was in a meeting on Capitol Hill last week when he picked up his cellphone, triggering a phony, prerecorded sales pitch, ostensibly for an extended vehicle warranty. Irate, Mr. Schumer became one of an estimated 30,000 Americans to make complaints about the robocalls with consumer protection authorities. He held a press conference to rail against the “’robo-dialed harassment.’” The Better Business Bureau offers the following advice when dealing with these companies: Never give personal information, including Social Security, bank or credit card numbers, over the phone to an unknown telemarketer. • Read your manufacturer’s warranty and contact your dealer or manufacturer to ensure that you are not purchasing duplicate coverage. • Consumers can place their phone numbers on the Federal Do Not Call List by visiting www.donotcall.gov. If a consumer is already on the list but continues to receive telemarketing calls, he or she can use the same Web site to report incidents to the Federal Trade Commission. • To find trustworthy auto warranty companies, consumers can check out BBB Reliability Reports online and free of charge at www.bbb.org. For more information or to schedule an interview with a BBB spokesperson, contact Alison Southwick at 703-247-9376.

by Doug Pollack

The Santa Fe Group, an industry consortium, announced today an identity crime victims’ bill of rights that proposes the rights that should be provided to all individuals and recommending an approach to legislation for adopting this bill of rights.

“The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available at http://santa-fe-group.com/whitepapers/register.php.”

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:

• Assessment of the nature and extent of the crime that removes the procedural ‘Catch-22s’ when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

“The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts (www.idexpertscorp.com).

‘Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,’ said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. ‘We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.’”

The Santa Fe Group, ID Experts and other members of the Vendor Council will be holding meetings in Washington, DC later this spring in order to drum up support for this concept and related legislation.