Proofpoint: Security, Compliance and the Cloud

More HIPAA-related news (in addition to the new whitepaper we published this week, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email):

In a press release from the Department of Health and Human Services this week (issued August 19, 2009), the final HIPAA rules around notification of private health information were announced. In short, healthcare providers, health plans and other covered entities (including business associates of HIPAA-covered entities) must promptly notify individuals when their health information is breached.

In addition, the Secretary of the HHS and a media outlet must be notified when a breach affects more than 500 individuals. Breaches that affect fewer than 500 individuals must be reported to the HHS secretary annually.

In the HHS statement, Robinsue Frohboese (acting director and principal deputy director of the HHS Office of Civil Rights) said, "This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information."

Note that the notification rules do not apply if the health information in question is encrypted. From the text of the interim final rule document itself (PDF version here - http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf):

"Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information – that is, the information is not considered “unsecured” in such cases. As required by the Act, the Secretary initially issued this guidance on April 17, 2009 (it was subsequently published in the Federal Register at 74 FR 19006 on April 27, 2009). The guidance listed and described encryption and destruction as the two technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals."

Proofpoint's own research has shown that email remains the #1 source of data breaches in large enterprises and that 34% of large US companies investigated an email-based violation of privacy or data protection regulations in the past 12 months. As the new notification rules take effect, it's likely we'll be hearing about many more healthcare privacy breaches than have been reported in the past.