If your healthcare facility were to have a data breach tomorrow, how would you go about notifying affected individuals? More importantly, how would you do it in a way that satisfies the HITECH requirements?
The answer isn’t easy. Even without HITECH, notification and subsequent response can take an alarming toll on the finances and resources of an organization.
The Endpoint Security blog recently reviewed the actions of a Hollywood Video store that went out of business and subsequently threw old membership forms in the dumpster. The blogger inevitably asks the question: who is to blame here?
The answer, as is usually the case, is complicated. As it turns out, disposal is the Bermuda Triangle of data privacy. Whereas an organization, while solvent, is responsible for protecting its customers’ information, the picture becomes somewhat muddy if the company folds. Unless the data breach occurs before the company is completely dismantled, it’s difficult to pinpoint anyone left to be held accountable for fines or notifications. Further, the organizational assets, like desktop computers, are often sold off to the highest bidder. It’s alarming to think how much hardware may get shuffled about, still containing the records it held at the time the company went out of business, because no one wants the added expense of erasing the data.
The year 2009 closes with an almost audible gasp of air, as we take in and hold our collective breathes for the coming enforcement of HITECH on February 18, 2010 — one year post enactment of the Act itself. Among the measures to be taken, these two are of particular note:
• The requirement for Health and Human Services (HHS) to begin conducting mandatory audits, and
• Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
