Saturday, April 4, 2009

Federal Security Breach Notification is Here

After years of talk, and failed attempts, tucked into a corner of the massive American Recovery and Reinvestment Act, we get a federal security breach notification law. Actually, we get a whole chunk of health care related privacy legislation, but what I'm going to focus on is the security breach notification part of it, as there's simply too much there for a single post otherwise.

In any case, the relevant provisions are sections 13402 (Notification in the case of breach, starting at page 146 in the linked PDF) and 13407 (Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities, starting at page 155 in the linked PDF). The question that needs to be asked is: how do they stack up against existing state security breach notification laws? The answer: reasonably well. The new federal law covers security breaches which expose individually identifiable health information* which means it's actually broader than some state laws which limit their coverage based on how the information is stored (e.g., California's SB1386 which is limited to "computerized" data). The new federal law also includes a media notice provision, which requires notice to "prominent media outlets" if the unsecured protected health information of more than 500 residents is compromised. That provision is actually stricter than the media notice from California's security breach notification law (used as a model for similar laws around the country), which is triggered if the number of people to be notified exceeds 500,000.

On the other hand, while the new federal law is stricter in some ways, it lacks what I consider one of the most important features of an effective protection - an individual right to bring suit. The lack of an individual right in various state laws has been used against people seeking compensation before (e.g., here), and I think the fact that the new federal law could be used in the same way could undermine enforcement. However, even though enforcement is a little questionable, the substance of the new federal law looks like a significant expansion in the rights of individuals to be notified when their data is exposed to unauthorized parties.

*Note: I am aware that it says it covers "unsecured protected health information". However, if you look at the definitions, the "unsecured" part basically means unencrypted, while the "protected health information" refers back to the HIPAA regulations, and translates into individually identifiable health information which is either transmitted or maintained in any medium.

8 comments:

AMIT said...

Good written about this.

Finance Bookmark

Anonymous said...



Generic Cialis




Stanford

kids bedroom sets said...

I will make sure and bookmark this page, I will come back to follow you more.

Seattle DUI Defense Attorney said...

Well said! Keep it up your work and please update your blog.

designer prom dresses said...

To ensure a tight federal security is very important to protect those people in the position against harm and other terrorist attacks.

gym floor covers said...

Very informative article that is highly suggested for reading. I've learned a lot about federal security breach from here.

summerjojo said...

To begin buy guild wars 2 online merely go over the top of the iceberg and acquire onto your personality themselves, which backrounds you have to choose between and just what occupations are for sale to a person.Inside guild wars 2 stock, you'll be able to enjoy among five backrounds each and every rich together with tradition and various expertise.

Lebron John said...

The release of NBA 2K22 is getting closer and closer. Players who are aspiring to take the lead in advance will prepare some NBA 2K22 MT in advance here.

Attached link: https://www.gamems.com/nba-2k22-mt