What in particular is new about the provisions is the area of “business associates”, who prior were required to follow the rules, but now it’s the law for them too, so they can also be fined as I read this, attorneys, etc. If data is encrypted and not readable, then there is also no breach, big hint, make sure any data on portable devices is encrypted if you still use them to move patient data. There was one instance where the data was encrypted in the UK, but the password and log on were taped to the device, and this of course would still be a breach as it could be accessed.
If more than 50 patient files are breached, in addition to any fines, etc. a report to a major media source is also required, and nobody wants that either. BD
A new federal data breach notification rule for patients' medical data that goes into effect Sept. 23 is said to be broader in its reach than previous health data rules, but it also may have a loophole that could limit its effect.
In late August, the Health and Human Services Department published an interim final notification rule for entities covered under the Health Insurance Portability and Accountability Act (HIPAA), such as hospitals, doctors and health plans
Business associates also include any provider of services to a HIPAA-covered entity, which include third-party administrators, claims processors, attorneys, accountants and software providers.