Back in 2003, California became the first state to enact a law requiring companies to notify individuals if personal data had been compromised, expanding the rule in 2008 to include EMRs and health insurance information not covered by encryption. The majority of states have followed with similar laws since.
Now, though the fact has been little reported, data holders across the entire U.S. must inform consumers--including patients--if a data breach occurs, courtesy of the new stimulus law. In fact, if a data breach is large enough, providers must inform their local news media, a prospect that few providers have absorbed.
The provisions in the stimulus package provide a safe harbor from notification requirements if the data is "unreadable, unusable or indecipherable" due to encryption technology. Guess that gives providers a major incentive not to let laptop holders store databases in the clear, a major source of data loss in recent years.
To learn more about the new requirements:
- read this Modern Healthcare piece [1] (reg. req.)
Related Articles:
Putting data breach genie back in bottle? Good luck [2]
California expands health data breach rules [3]
GA hospital health data breach due to outsourcing error [4]
Links:
[1] http://www.modernhealthcare.com/article/20090520/REG/305209993
[2] http://www.fiercehealthit.com/story/putting-data-breach-genie-back-bottle-good-luck/2008-12-08
[3] http://www.fiercehealthit.com/story/california-expands-health-data-breach-rules/2008-01-07
[4] http://www.fiercehealthit.com/story/ga-hospital-health-data-breach-due-outsourcing-error/2008-09-28?utm_medium=rss&utm_source=rss&cmp-id=OTC-RSS-FHI0