The Security Scrutinizer with Howard Anderson

Breach Notification Gap Identified Pending Legislation Leaves Some Health Information Unprotected

Healthcare organizations that are HIPAA "covered entities," such as hospitals, clinics and insurers, as well as their business associates must comply with the HITECH Act breach notification rule, a component of the HIPAA privacy rule. That's why the pending legislation before Congress wouldn't apply to these organizations.

But Harley Geiger, policy counsel at the Center for Democracy & Technology, points out in a blog that not all healthcare information is protected under HIPAA. For example, certain commercial products and services, such as mobile health applications and social networking sites devoted to medical conditions, aren't regulated under HIPAA, although they could contain sensitive patient information.

If Congress passes one of these pending bills, it should make sure the legislation includes protections for health information used by entities not covered under HIPAA. 

Geiger says breach notification requirements for health information held by companies not covered by HIPAA "are weak and unclear." But of the seven breach notifications bills Congress is considering, none explicitly protect health information held by companies that are not HIPAA covered entities. They're designed, instead, with other industries, especially financial services, in mind.

If Congress passes one of these pending bills, it should make sure the legislation includes protections for health information used by entities not covered under HIPAA, Geiger argues. Sounds like a good idea to me.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network