HITECH Name-And-Shame Goes Up A Gear

Not content with naming-and-shaming companies who break the HIPAA/HITECH health regulations through the normal press, The U.S. Department of Health and Human Services is now reporting companies who lose control of more than 500 people’s records on their Web site.
A duty to do this comes via section 13402(e)(4) of the HITECH act:
“4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.”
For those not in the know – HITECH is U.S act which enforces some duty of care on people’s health information. “Covered Entities” like Health Plan providers, Care Providers (hospitals, doctors etc) need to put safeguards in place to ensure that our individual health information is not seen or accessible by unauthorized people. You can find out about HITECH on their excellent consumer web site.
Section (e) of HITECH is one of high interest, it deals with exactly how a company has to report a breach of security regarding personal health information.
The list is already around 34 entries long, interestingly with “Private Practice” of Torrance, CA having the dubious honor of 5 separate entries – all (continue reading...)