New health data breach notification rules go into effect

The rules contained in the HITECH Act requiring HIPAA-covered entities, business associates, and non-covered entities that provide personal health records (PHR) to disclose breaches of personal health information go into effect on September 23. The draft rules were published as interim guidelines in April, and the final version of the disclosure rules was published by HHS last month, with a corresponding rule covering PHR breaches published by the FTC at the same time. The rules will greatly expand the scope of organizations subject to breach disclosure requirements, although HHS did include a provision in the rules that unauthorized disclosure is not considered a breach under the regulations unless it causes or has the potential to cause significant harm to individuals whose data is disclosed. This exception is troubling to privacy and consumer advocates because it introduces a measure of subjectivity into what seemed to be an objective requirement (the harm provision was not part of the language in the HITECH Act), and it raises the possibility that organizations who suffer disclosures will understate the risk in order to avoid having to comply with the rules.

The rules still apply only to unsecured data — in HITECH legalese that means data that is not rendered “unreadable, unusable, or indecipherable” — so tomorrow also serves as an unofficial deadline by which organizations holding personal health information should implement encryption for their data at rest as well as data in transit. It remains to be seen whether major PHR vendors like Google Health and Microsoft Healthvault will add record encryption to the set of security and privacy protection measures they already have in place.