How your health records are safer — or at least you’ll know about all the disclosures now….

Well – it wasn’t a billion dollar bailout and it wasn’t a new ‘public option’, but it was, on September 23rd, the official STARTING DAY of the new HIPAA breach disclosure rule, another tangible effect of the American Recovery and Reinvestment Act of 2009.

The breach disclosure rule is a little unusual in the way it dictates how healthcare entities have to behave if there is a disclosure of YOUR PHI (i.e. Protected Health Information). Your PHI could be interesting little tidbits of information like:

– detailed health info on 1000 Hollywood celebrities, probably all about face lifts, nose jobs and liposuction.

– Details on whose tubes got tied

– Embarrassing information on warts and other disgusting physical problems
Or
– Just info you don’t want everyone to know about.

The new Breach Disclosure rules protect you. Here are some of the details about what the organization that leaked your sensitive info has to do…

If the breach involved less than 500 individuals’ information, then you must be notified within sixty days and “without reasonable delay”. If more than 500 individuals’ information is breached, then the organization has to not only notify the Department of Health and Human Services, but also has to send out a press release and notify the media — film at eleven.

Covered organizations (covered entities) will not be penalized until February 22, 2010. So for now, organizations should make sure they have these disclosure guidelines in place and practice them, including training and awareness exercises, so they will be ready by February.

Organizations must also do an individual RISK ASSESSMENT on each breach to calculate the harm that the breach may do to an individual. For example, whether the breach would affect their health insurance, or their relationship!
There are additional considerations about whether the breach was done in error and actual disclosure was limited; or whether it was malicious disclosure – done on purpose, or for financial gain.

The breach notification rule, in my opinion, is just another manifestation of how serious the government has become about protecting personal information, whether it is protected health information, or personal financial information.

The FTC reported that identity theft is the one number consumer complaint and so protection of your information has moved up to the top of the list. Lucky us