HHS failed to meet its August 18 HITECH Act deadline for final guidance on unsecure PHI.
Talk about "unsecure PHI" talk comes down to this—if patient information escapes your backdoor, is it protected by these standards? If it is, then you've got a "safe harbor" for avoiding breach notification.
If it isn't, then you're talking breach notification—to the individual, HHS, and possibly local media (the latter if it involves at least 500 patient records).
John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, in Ellicott, MD, says encryption of patient records today is a necessity rather than an "add-on." He adds that patients now have a "growing concern" for the appropriate safeguarding of their personal and medical information and are calling for organizations to mitigate data leakages and losses.
"The need to encrypt and the provision to notify have become standard ingredients of the many state data protection laws," Parmigiani says. "They have been reinforced by not only the recent CMS report of its findings from the 'Security Rule compliance reviews' but also in the original HITECH wording and the subsequent HHS guidance in April."
HHS issued a proposal for security breach notification in a 20-page report in April, a draft guidance that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure PHI and prevent a breach.
It opened the public comment period for about a month. And since then, it's been a waiting game for final guidance—and it continues to be past Tuesday's deadline.
The Federal Trade Commission did meet its deadline, issuing a final rule in the Federal Register that requires some Internet-based businesses to notify consumers when they've had a breach of their PHI, according to an FTC press release issued Monday, August 17.
The rule was issued under the mandate from Congress in the American Recovery and Reinvestment Act of 2009.
It applies to both vendors of personal health records—which "provide online repositories that people can use to keep track of their health information"—and entities that offer third-party applications for personal health records, according to the release. The rule requires the Web-based entities to notify the FTC of a breach.
The FTC offered a standard form for such notification.