The Department of Health and Human Services is out with new rules for protecting and dealing with the loss of patient data under HIPAA, with comments due May 21 either in writing or online.
The new proposed rules, called a guidance, are required under the HITECH Act, part of the Obama Stimulus.
An FTC rulemaking ion the same subject, covering entities not otherwise covered by HIPAA, is also going through its comment period, with those due June 1.
Generally both sets of rules require that patients be notified when their data is put at risk, and describes how encryption or anything which renders the data unusable can protect covered entities from liability.
HIPAA has been used as an excuse to keep records on paper ever since the act was passed, with the health industry continuing to insist on looser restrictions and privacy advocates urging a tightening.
At first glance the new rules are not that onorous. The proposal notes, for instance, that once personally-identifiable information is stripped from a record it is no longer subject to the law's provisions, as when records are compiled for purposes of research.
Still, the idea that you must maintain control of records and notify consumers of any loss of data remains a fear for all health providers. Will this proposal alleviate those concerns?