Many organizations have implemented a HIPAA risk assessment and a well-defined privacy and security plan, meeting all the criteria of the omnibus rule. They can proclaim that they have met all the requirements if they breach. As part of their media campaign, they show HHS and reporters their due diligence and should not be penalized for the breach. Fortunately, HHS is not the only agency with jurisdiction. If any organization handles or transacts business on the internet with personal health care information, they fall under the Federal Trade Commission jurisdiction.
Does your SaaS organization know the FTC regulations for cyber security?
As part of the American Recovery and Reinvestment Act of 2009. Congress directed the FTC to issue a rule that applies to both vendors of personal health records and its entities that provide online repositories that the public can use to keep track of their health information and entities that offer third-party applications for personal health records. The final rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. If a service provided to one of those entities has a breach, it must notify the entity, which in turn must notify consumers. In stark contrast to HIPAA, the FTC can bring an enforcement action based upon its decision that an entity’s data security practices are “unfair”, but it has not publicized regulations or issued specific guidance on how or when a determination of “unfairness” is issued. Instead, the FTC can declare that entities’ data security practices are “unfair” because they are not “reasonable,” similar to the HIPAA rule of "reasonable." The vagueness of "reasonable" and "unfair" can leave your organization guessing how to become FTC-compliant.
The final rule specifies the timing, method, and content of notification and, in the case of certain breaches involving 500 or more people, requires notice to the media. Entities that fall under this rule must notify the FTC and use a standard FTC form. This rule applies to SaaS organizations that store or transact PHR.
Comments