DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Congress heard us! (commentary)

Posted on February 19, 2009 by Dissent

I’m first working my way through the provisions in the stimulus bill that relate to breaches and notifications. One of the recommendations that I and other privacy advocates had made was central notification and disclosure on a publicly available web site. They heard us. Here’s part of the new law:

(3) NOTICE TO SECRETARY- Notice shall be provided to the Secretary by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved.
(4) POSTING ON HHS PUBLIC WEBSITE- The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

I can’t tell (yet) what happens to logs of breaches of unsecured PHI affecting fewer than 500 people that are submitted to HHS in terms of whether they, too, will be posted on the HHS web site. It sounds like they may not get posted, and this only applies to unsecured PHI and not all breaches involving PHI, but it still represents significant progress over what we had under HIPAA and state laws. And this certainly is a boon to those of us to try to track breaches.

Another provision of note concerns individual notice. If the entity cannot contact 10 or more people by mail or other means, then they must use substitute form of notice such as a prominent posting on their web site or a media notice. That provision, too, will also increase our awareness of breaches because under HIPAA, they had no duty to notify patients of breaches, only to mitigate harm.

As to the content of notice, the law specifies:

(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

(2) A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).

(3) The steps individuals should take to protect themselves from potential harm resulting from the breach.

(4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

(5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.

The first requirement is helpful because it will stop a lot of the “We recently learned” phrases that give us no idea when the entity actually was breached or learned of the breach.

There’s a lot more to the provisions, and I will continue working my way through them. No bill is perfect, but there really are some definite improvements in this law from a privacy advocacy perspective.

Related posts:

  • Crowd-sourcing an idea for a law
  • New HHS/OCR site provides additional details
  • Obama’s federal data breach notification bill: boon to businesses, but not most consumers
Category: Breach LawsFederalHealth DataLegislationU.S.

Post navigation

← It’s Symantec’s turn (updated with response from Symantec)
Heartland: It’s not just banks →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.