Sunday, April 12, 2009

Turn on your Syndication

Sadly, my actual job, combined with some personal issues have been taking up essentially all of my time recently, and will likely continue to do so for the foreseeable future. I expect to be able to return to maintaining the blog on a more regular basis at some point in the future. However, at this point, I recommend taking advantage of the feed for the site, since coming back in order to see when I have a new post up is unlikely to result in finding anything.

Saturday, April 4, 2009

Federal Security Breach Notification is Here

After years of talk, and failed attempts, tucked into a corner of the massive American Recovery and Reinvestment Act, we get a federal security breach notification law. Actually, we get a whole chunk of health care related privacy legislation, but what I'm going to focus on is the security breach notification part of it, as there's simply too much there for a single post otherwise.

In any case, the relevant provisions are sections 13402 (Notification in the case of breach, starting at page 146 in the linked PDF) and 13407 (Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities, starting at page 155 in the linked PDF). The question that needs to be asked is: how do they stack up against existing state security breach notification laws? The answer: reasonably well. The new federal law covers security breaches which expose individually identifiable health information* which means it's actually broader than some state laws which limit their coverage based on how the information is stored (e.g., California's SB1386 which is limited to "computerized" data). The new federal law also includes a media notice provision, which requires notice to "prominent media outlets" if the unsecured protected health information of more than 500 residents is compromised. That provision is actually stricter than the media notice from California's security breach notification law (used as a model for similar laws around the country), which is triggered if the number of people to be notified exceeds 500,000.

On the other hand, while the new federal law is stricter in some ways, it lacks what I consider one of the most important features of an effective protection - an individual right to bring suit. The lack of an individual right in various state laws has been used against people seeking compensation before (e.g., here), and I think the fact that the new federal law could be used in the same way could undermine enforcement. However, even though enforcement is a little questionable, the substance of the new federal law looks like a significant expansion in the rights of individuals to be notified when their data is exposed to unauthorized parties.

*Note: I am aware that it says it covers "unsecured protected health information". However, if you look at the definitions, the "unsecured" part basically means unencrypted, while the "protected health information" refers back to the HIPAA regulations, and translates into individually identifiable health information which is either transmitted or maintained in any medium.