The Federal Government’s New HITECH Act, which went into effect on September 23, 2009, strengthens the rules designed to protect the privacy and security of health-related data. However, vague wording in the regulations written by the Office of Health and Human Services (HHS) has opened the door to under-reporting of data breaches, which will in turn put breach victims at undue risk of medical identity theft.
The Interim Final Rule issued by HHS on August 24, 2009 says that a data breach incident of Personal Health Information (PHI) only requires notification if the breach represents a “Significant risk of financial, reputational or other harm to the individual whose PHI has been compromised” as determined by the breached organization. This, unfortunately, could lead some health organizations to abandon best-practice standards in an effort to minimize short-term costs associated with responding to breaches.
Since the law does not include clear risk standards for organizations to follow, this ultimately could lead to a “fox guarding the chicken coop” phenomenon.
Consumer and patient advocates have asked HHS to revisit the wording of the regulations, so organizations inclined to under-report breaches will likely be required to follow the intent of the law anyway.
In the meantime, however, health care firms intent on protecting themselves and their patients should implement best-practice approaches to assessing risk. One litmus test Identity Force recommends its clients to implement when assessing risk, beyond evaluating the data that was breached, how it was breached, and the likelihood that the data was accessed by potential fraudsters, is to imagine that their personal information is part of the breached data – and to ask themselves what type of personal protection they would want to keep from becoming a victim of medical identity theft.
It is important to remember that HITECH comes with stiff penalties, including increasing civil monetary penalties for HIPAA noncompliance to as much as $50,000 per violation. HHS won’t begin enforcing the new regulations until February 2010, and it may take a while for it to establish a track record of tough enforcement and fines, but since medical identity theft is the fasted growing form of identity theft, there will be significant pressure on HHS to take a strong stance against organizations that try to sidestep the intent of the law and hide behind the Act’s vague wording.
One thing is certain, breach victims will continue to be at higher risk until the regulatory language is clarified.
Similar Posts:
- The Scourge of Medical Identity Theft
- Data breaches result in 4X increase in identity fraud
- Data Breaches Cost Hospitals $6 Billion Annually
- Measure data breach risk?
- Confusing and Ineffective Data Breach Regulations Cause Problems for Both Businesses and Consumers
