Welcome to the CSO Breakfast Club!
Please log in using the form to the right.
If you do not having a username and password, please take a moment to fill out our contact form to be considered for registration.
Data Breach Notification Law
The Data Breach Notification Law went into effect on September 23, 2010. In a nutshell,the new law requires a Covered Entity to notify patients when their information has been breached IF the breach involves unsecured Protected Health Information.Unsecured Protected Health Information is defined by the new law as PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology speficied by the Secretary of DHHS. In a nutshell, they are saying that if a Covered Entity loses patient information and the information is not encrypted, the Covered Entity HAS to notify the patients, and DHSS, as wel as the media in certain cases. At our organization, we have gone ahead and encrypted all of our laptops and smartphones. However, I am told by our CIO that there are organizations out there who chose NOT to encrypt (which is a choice that can be made and the decision would be to notify in case of a breach) their smartphones, but use password protection and the wipe command if the device is lost or stolen. They choose not to notify anyone based on the fact that the device is password protected, and wiped (even though the entity may not be notified by the user for several days that the device is lost). I don't believe that password protection is enough and that it absolves a CE from reporting a breach to patients...etc. The law is clear that only encryption or anything that renders data unusable, unreadable or indecipherable (and again they refer us to NIST for the technology, which is encryption) absolves a CE from reporting. Can someone share their thoughts? What are you doing at your facility?Many thanks
The Data Breach Notification Law went into effect on September 23, 2010. In a nutshell,the new law requires a Covered Entity to notify patients when their information has been breached IF the breach involves unsecured Protected Health Information.Unsecured Protected Health Information is defined by the new law as PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology speficied by the Secretary of DHHS. In a nutshell, they are saying that if a Covered Entity loses patient information and the information is not encrypted, the Covered Entity HAS to notify the patients, and DHSS, as wel as the media in certain cases. At our organization, we have gone ahead and encrypted all of our laptops and smartphones. However, I am told by our CIO that there are organizations out there who chose NOT to encrypt (which is a choice that can be made and the decision would be to notify in case of a breach) their smartphones, but use password protection and the wipe command if the device is lost or stolen. They choose not to notify anyone based on the fact that the device is password protected, and wiped (even though the entity may not be notified by the user for several days that the device is lost). I don't believe that password protection is enough and that it absolves a CE from reporting a breach to patients...etc. The law is clear that only encryption or anything that renders data unusable, unreadable or indecipherable (and again they refer us to NIST for the technology, which is encryption) absolves a CE from reporting. Can someone share their thoughts? What are you doing at your facility?Many thanks