The Security Scrutinizer with Howard Anderson

Breach Notification Gap Identified

Pending Legislation Leaves Some Health Information Unprotected Howard Anderson (ismg_editor) • August 10, 2011    

Healthcare organizations that are HIPAA "covered entities," such as hospitals, clinics and insurers, as well as their business associates must comply with the HITECH Act breach notification rule, a component of the HIPAA privacy rule. That's why the pending legislation before Congress wouldn't apply to these organizations.

But Harley Geiger, policy counsel at the Center for Democracy & Technology, points out in a blog that not all healthcare information is protected under HIPAA. For example, certain commercial products and services, such as mobile health applications and social networking sites devoted to medical conditions, aren't regulated under HIPAA, although they could contain sensitive patient information.

If Congress passes one of these pending bills, it should make sure the legislation includes protections for health information used by entities not covered under HIPAA. 

Geiger says breach notification requirements for health information held by companies not covered by HIPAA "are weak and unclear." But of the seven breach notifications bills Congress is considering, none explicitly protect health information held by companies that are not HIPAA covered entities. They're designed, instead, with other industries, especially financial services, in mind.

If Congress passes one of these pending bills, it should make sure the legislation includes protections for health information used by entities not covered under HIPAA, Geiger argues. Sounds like a good idea to me.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails
Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care
Zero Trust, Auditability and Identity Governance
Zero Trust, Auditability and Identity Governance
Inside Look: FDA's Cyber Review Process for Medical Devices
Inside Look: FDA's Cyber Review Process for Medical Devices
Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
The State of Security Leadership
The State of Security Leadership
Why OT Security Keeps Some Healthcare Leaders Up at Night
Why OT Security Keeps Some Healthcare Leaders Up at Night
Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare
Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.