Opinions about information security from a risk management perspective
American Medical News reported today (Feb 1, 2010) that the first lawsuit has been filed by a state Attorney General for a personal medical information privacy violation under the HITECH Act. The HITECH Act, part of the 2009 stimulus bill, was designed to strengthen HIPAA, which until then had limited penalties for violations.
If the HITECH Act itself was not enough of a wake up call, this lawsuit surely ought to be.
The Department of Health and Human Services this week published the regulations for the "breach notification" provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act of 2009 (ARRA). In effect, this is an extension of HIPAA and further strengthens HIPAA's Privacy Rule and Security Rule.
The new breach notification regulations are in a 121 page document. HHS also issued a press release that summarizes the new regulations.
This type of breach notification regulation started in California with SB 1386 which went into effect on July 1, 2003. Since then about 40 other states passed a similar law.
In 2008, California went on to pass a specific health care information protection law, SB 541, which requires notification of breaches and financial penalties up to $250,000 per incident. Here is a Los Angeles law firm's presentation on it. Since SB 541 went into effect on January 1, 2009, there have been over 800 incidents reported.
