The Security Scrutinizer with Howard Anderson

Breach Notification Gap Identified

Pending Legislation Leaves Some Health Information Unprotected

A consumer advocacy group is calling attention to a little-known fact about seven federal breach notification bills pending in Congress: They would leave some healthcare information unprotected.

Healthcare organizations that are HIPAA "covered entities," such as hospitals, clinics and insurers, as well as their business associates must comply with the HITECH Act breach notification rule, a component of the HIPAA privacy rule. That's why the pending legislation before Congress wouldn't apply to these organizations.

But Harley Geiger, policy counsel at the Center for Democracy & Technology, points out in a blog that not all healthcare information is protected under HIPAA. For example, certain commercial products and services, such as mobile health applications and social networking sites devoted to medical conditions, aren't regulated under HIPAA, although they could contain sensitive patient information.

Geiger says breach notification requirements for health information held by companies not covered by HIPAA "are weak and unclear." But of the seven breach notifications bills Congress is considering, none explicitly protect health information held by companies that are not HIPAA covered entities. They're designed, instead, with other industries, especially financial services, in mind.

If Congress passes one of these pending bills, it should make sure the legislation includes protections for health information used by entities not covered under HIPAA, Geiger argues. Sounds like a good idea to me.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.