ID Experts Inputs to FTC and HHS Health Breach Notification Rules
Company provides guidance from extensive data breach experience to protect individuals and their personal health information
The Rules outline the requirements for organizations to comply with data breach provisions of the new Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act (ARRA) legislation that passed earlier this year. These provisions establish rigorous notification requirements for exposing personal information and health records of individuals, as well as penalties for “willful neglect” up to
“This is the first national law that speaks to how a data breach is defined, the stipulations for victim notification and the requirement to report all healthcare breaches to HHS,” said
As part of its commitment to protecting individuals from identity theft, ID Experts suggested several areas of input to the FTC and HHS Health Breach Notification Rules, including improving the efficacy of data breach notification and requirements to empower victims of medical identity theft. Recommendations include:
- Clearer definitions of key terms such as breach, nature of entity, reliable evidence, personal health record, unsecured and notification.
- Clarification on the relationship between primary organization and data vendors.
- Strengthening language regarding human resource processes.
- Commenting on notification requirement; adding Attorney Generals as part of the notification; adding more specifics on how the notification is handled and content of the notification.
- Clarification of the need to resolve inconsistent requirements between the federal law and specific state laws that have conflicting provisions.
- Clarification as to a determination of breach for encrypted data on a system that is in use.
- Adding investigative requirements.
- Adding requirements for providing monitoring or protection products and services to those affected by a breach.
- Adding requirements to assist victims in dealing with the restoration issues of medical identity fraud.
- Adding requirements for medical collection agencies that enable individuals to deal with fraudulent activity; recommending procedures for healthcare providers so their patients can remove inaccurate or fraudulent information from their healthcare records; requiring companies to provide similar ways to “flag” a fraudulent account.
For further details on the HITECH Act and its data breach provisions, ID Experts has published a whitepaper that provides insights for health organizations in order to decipher the HITECH Act and make its requirements actionable. This white paper is available at www.idexpertscorp.com/breach/download/?cid=pr52809&altid=b_hitech_paper.
About ID Experts
ID Experts provides data breach solutions, risk assessment, forensic investigation and fully managed victim identity restoration to corporations, financial institutions, healthcare organizations and government agencies. As a leader in data breach prevention and remediation, the company has managed hundreds of data breach events, protects millions of individuals from identity theft and authored the Identity Crime Victim’s Bill of Rights. ID Experts is actively involved with industry organizations including ANSI/Identity Theft Prevention and Identity Management Standards Panel, International Association of Privacy Professionals, Internet Security Alliance, and the Santa Fe Group. For more information, visit http://www.idexpertscorp.com/.
Media Contacts:
Kelly Stremel Lisa MacKenzie
MacKenzie Marketing Group MacKenzie Marketing Group
503-225-0725 503-225-0725
kellys@mackenzie-marketing.com lisam@mackenzie-marketing.com
SOURCE ID Experts