HITECH (Health Information Technology for Economic and Clinical Health) Act has been signed into law as part of the Recovery Act, making changes to to privacy and security rules of HIPAA which are effective immediately. New Breach Notification Rule for HIPAA applies to vendors of personal health records and third party service providers.

Definition of Breach:

Defined by the Department of Health and Human Services, a breach is "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, repetitional, or other harm to the affected individual".

Unsecured "protected health information" (PHI) is information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the guidance.

Requirements of the new breach notification rule:

• Individuals must be notified within 60 days of breach
• Notification need to include a description of the breach, description of the type of information that were involved, steps that affected individuals should take
• Required to provide a notice to prominent media outlets (i.e. press release) if over 500 residents of a state are affected by the breach
• Must submit breach notification to the Secretary of HHS

Recommended steps:

• Identify which types of protected health information are unsecured
• Evaluate how the unsecured information can be made secured
• Evaluate approved technologies and methodologies
• Select a reliable service provider
• Establish security guidelines and train your staff on the proper procedures

Many common day-to-day practices are vulnerable to data breach. Just think for a minute about how you communicate information to your own staff, clients or partners. For example, email attachments are one of the most common use case of unencrypted file transfers that could easily lead to breach of sensitive information. It is critical to select a reliable service provider to transfer or store private data. A few things to look for while picking a service provider:

• Track record of reliability and strong industry reputation
• SAS 70 certification
• Service Level Agreement

At LeapFILE, we've been providing a secure file transfer solution for thousands of businesses - helping users and IT to easily comply with regulatory requirements. Let us know if you have any questions about how we can help!