Sunday, September 27, 2009

Health Data Breach Rules - Started but not enforced yet

The data breach rules for both PHR and for HIPAA covered entities is in effect, but will not be enforced until Feb 22, 2010. It is very unclear what will happen in the next 5 months if a breach happens.
New rules governing consumer notification when the security of their health information is breached go into effect this week. But federal agencies won't enforce the rules for several more months. Both rules were mandated under the American Recovery and Reinvestment Act.A final rule from the Federal Trade Commission, published Aug. 25 and effective Sept. 24, requires vendors of personal health records--and entities that offer third-party PHRs--to notify consumers of data breaches. In the rule, the FTC noted the quick deadlines that were statutorily mandated and imposed a grace period on enforcement. "Therefore, the Commission will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered before Feb. 22, 2010," according to the rule. "During this initial time period--after this rule has taken effect but before an entity is subject to an enforcement action--the Commission expects regulated entities to come into full compliance with the final rule." ...More