Untitled Document

News


4-15-2010 New HIPAA Regulation Coming Soon

HIPAA Covered Entities and Business Associates have anxiously been awaiting the issuance by HHS of the regulations that will further define and detail the HIPAA privacy and security requirements under the HITECH Act, including the effective dates for HHS enforcement of those requirements. Based on recent activity, the issuance of the proposed rule containing those regulations is expected to occur soon. On April 12, HHS presented its proposed rule to the Office of Management Budget (OMB) for review of financial implications. OMB review can take up to three (3) months, but it is not expected to take that long in the present case. The proposed rule will provide interested parties the opportunity to comment on the proposed regulations, which will lead to the issuance of a final rule by HHS. Visit www.inspn.org for future updates.

4-12-2010 Privacy Act Protects Some Practices With Patient Data Breaches

Dom Nicastro, for HealthLeaders Media, April 12, 2010
The Office for Civil Rights (OCR) cited a 36-year-old privacy law as the reason why it cannot post on its breach notification Web site the names of private Practitioners who report breaches of unsecured PHI affecting 500 or more individuals. Visit Health Leaders Media for the complete story.

3-19-2010 ENCRYPTION - Evaluating the Legal and Technical Challenges

Speakers Joan Antokol, Esq and Chris Prader, ITIL Certified presented at the March 18th Indiana Security and Privacy Network (INSPN) quarterly meeting on evaluating the legal and technical challenges of data encryption. Meeting highlights are below:

  • It is very important to know which states your customers are resident in because some state laws are more stringent than others - so you have to work toward the most stringent.
  • Don't forget to encrypt not only the original messages but also the back-up tapes, less your primary protection could be worthless.
  • Be sure to "classify" all your data so you know what needs protection.
  • Laptops and other portable back-up devices (memory sticks etc) are very problematic.
  • Be sure to cover these issues when training staff.
  • Be sure to have policies and procedures that address these issues - and follow them religiously.
Presentation slides are available to members on INSPN’s website. INSPN Resources/Presentations

11-10-2009 FTC Extends Enforcement Deadline for Identity Theft Red Flag Rule until June 1, 2010

At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.

The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

For additional information on Red Flag Regulations visit the FTC’s website ftc.gov/redflagsrule .

5-15-2009 Stimulus Package extends HIPPA Regulations

The American Recovery and Reinvestment Act, Title XIII HITECH (Health Information Technology for Economic and Clinical Health) expands HIPPA regulations to include “business associates”. This will require third parties that handle patient data to comply with HIPPA standards by next year. Prior to this bill, such firms were exempt and only had contractual obligation to data privacy. Companies that handle digital patient information will no longer be able to contract liability and will be required to adhere to the same stringent standards put upon health care providers.

In addition, the U.S. Department of Health & Human Services continues to release details on the disposal of protected information and breach notification guidance. For more information visit the HHS site on health information privacy. http://www.hhs.gov/ocr/privacy/index.html

4-30-2009 FTC Suspends Red Flags Enforcement

The FTC's Red Flags Rule became law Nov 1st 2008. At that time the FTC suspended enforcement until May 1st 2009 and they've now granted another delay until August 1st 2009 to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.

Some of the confusion stems around the definition of a creditor and who is obligated to comply. Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. The Rule applies to creditors and financial institutions. Federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, hospitals, medical offices, non-profit and government entities that defer payment for goods or services.

The rule requires that businesses to develop a program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

For more information visit http://www.ftc.gov/opa/2009/04/redflagsrule.shtm