A useful law unwittingly diluted by bureaucratic whitewashing
A new data security law recently went into effect as part of the U.S. Department of Health & Human Services (HHS) Health Information Technology for Economic and Clinical Health (HITECH) Act. This new law, called the "Breach Notification for Unsecured Protected Health Information," is aimed at health organizations covered by the Health Insurance Portability and Accountability Act (HIPAA).
According to the rule, only healthcare providers and healthcare plans that don't use HHS-approved techniques to encrypt or destroy information will be required to notify individuals within 60 days of a breach of such unsecured protected health information (PHI). Breaches that affect more than 500 people must be reported to the HHS, as well as to the media.
However, in an "interim final rule" version, the HHS amended the law to note that healthcare companies must publicly disclose data breaches only if the breach threatens significant financial or reputational harm to the individuals affected. And whether this risk is deemed significant is left up to the discretion of the healthcare company whose data has been compromised—which raises the hackles of opponents to the new rule, who contend that the amendment effectively guts the law.
Mark Bower, Voltage Security's director of information protection solutions, asserts that "the protection law should address everyone—including those who have already implemented encryption, since most encryption systems are point-to-point even when they say otherwise." In addition, Bower notes that "the bad guys are always looking for a way in, and in many cases they're highly sophisticated organized criminals, so we'll keep bumping into a wall if we don't get smart and protect data end-to-end."
For the full text of the breach notification rule, go to http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf.