Kroll Cyber Security Blog – A Dialogue on Data Security

In the previous segments of this series, we introduced two recent federal regulations that are poised to have a significant effect on the health care industry – the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Identity Theft Red Flags and Notices of Address Discrepancy (Red Flags Rule).

As the previous segments discussed, both HITECH and the Red Flags Rule establish new and complex regulatory requirements. Without a doubt, the best defense against regulatory fever is prevention through proactive planning. However, this is certainly easier said than done. While the regulatory framework of HITECH and the Red Flags Rule are complex, perhaps the most troubling aspect is the emerging IT market structure and its interplay with the new regulations.

In the absence of federal action, many states have taken the initiative to address data breaches with their own notification laws. However, to avoid multiple notifications and conflicting obligations, both the Health and Human Services (HHS) and the Federal Trade Commission (FTC) rules expressly preempt state laws to the extent they conflict with federal requirements. State laws with greater notification requirements are not considered in conflict, though, and must be followed in addition to all federal requirements.[1] To avoid duplicative notifications, the federal government strongly recommends that entities strive to meet federal and state obligations in concert.