July 2009
S M T W T F S
« Jun   Aug »
 1234
567891011
12131415161718
19202122232425
262728293031  

Legal Disclaimer

Your use of this Blog does not create an attorney-client relationship. Your e-mail or comments do not create an attorney-client relationship. We have no duty to keep confidential the information that is submitted to this blog. This blog is not a substitute for, nor does it constitute legal advice. Only an attorney who knows the details of your particular situation and is properly licensed in the applicable state (or states) is able to appropriately and properly address any legal issues you may have.

Blog Categories
«  
  »

Red Flag Enforcement Delayed Again (x3) Until November 1, 2009

By Robert Hudock, on July 30th, 2009 Print This Post Print This Post
Red Flag Delayed

Red Flag Delayed

FTC Announced today –

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.

(http://www.ftc.gov/opa/2009/07/redflag.shtm)

The delay is not a suprise.

Red Flag compliance should not distract a covered entity from compliance with the HITECH Act.  For example, the encryption guidance that has been issued by HHS.  This guidance marks a significant departure from how HIPAA handled encryption in the past and more generally acceptable privacy/security safeguards after February 2010.

When HHS issues its’ guidance on security breaches, a covered entity to fall within the safe harbor, must be using a FIPS 140-2 approved algorithm.  A covered entity or a business associate can check whether their software meets said guidelines at the following website which lists products/ software that meet these new standards: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm (note certificates can be revoked and a compliant product has a vendor supplied policy that must be used in tandem with the product).

I find the following deadlines much more concerning:

Within 180 days of enactment (August 16, 2009)
•       HHS and the Federal Trade Commission will promulgate interim final regulations on notification of breaches.  The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA or Business Associate agreements (Section 13402, 13407)
•       Most of the new privacy and security requirements become mandatory one year after the effective date of ARRA, namely on February 17, 2010.
•       However, some of the provisions become effective earlier including, for example, the new restrictions on sales and marketing and the expanded breach notification requirements. Those provisions become effective 30 days after additional guidance is issued. There is a 180-day limitation on the issuance of those guidance documents; so presumably, those provisions will become mandatory on or before August 17, 2009.

By December 31, 2009
•       HHS must adopt through rulemaking the initial prioritized set of standards which should include the accounting for disclosures (Section 3002b)

Due within one year post enactment (February 17, 2010)
•       The Secretary will appoint a Chief Privacy Officer (Section 3001)
•       The Office of Civil Rights and HHS will launch an education initiative to improve public transparency on the use of health information (Section 13403)
•       The Government Accountability Office will report on best practices for disclosures for treatment and use of electronic informed consent (Section 13424)
•       HHS will report on and provide guidance on de-identification (section 13424c)
•       Covered entities must enter into Business Associate Agreements with PHRs, HIEs, and other services that handle protected health information (Section 13405e)
•       HHS will issue rules on opting out of fundraising solicitations (Section 13406)
•       HHS will report on guidance on the effective technical safeguards for carrying out the HIPAA security rule (Section 13401c)
•       HHS and the Federal Trade Commission will report on privacy and security requirements for PHR vendors and applications
•       HHS and the Office of Civil Rights clarify application of criminal penalties for non-covered entities (Section 13409)
•       HHS to issue rules on which entities are required to be business associates (Section 13401)
•       Right to restrict disclosures to health plans for services paid for out of pocket (Section 13405a)
•       HHS Secretary required to conduct periodic audits of entities covered by HIPAA (Section 13411)
•       Right of electronic access of records by patients takes effect (Section 13405e)

 Digg  Facebook  StumbleUpon  Technorati  Deli.cio.us 

Related posts:

  1. HHS Tranfers Enforcement of the HIPAA Security Rule to OCR (Office of Civil Rights) It appears HHS has taken this critique to heart. HHS...
  2. FTC Grants “Three-Month Delay of Enforcement of ‘Red Flags Rule’ Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs” The FTC announced today that the enforcement date for the...
  3. Enforcement of Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts Delayed Yet Again and Now Emphasizes a“Risk-Based” Approach. The Commonwealth of Massachusetts recently extended the date for compliance...
  4. Fraud Enforcement and Recovery Act of 2009 Expands FCA On May 20, 2009 the Fraud Enforcement and Recovery Act...
  5. Excellent Article from American Health Lawyers Association’s Healthcare Liability & Litigation Health Briefs, on 9/9/09. by Kristen McDonald. (Republished with permission from the author.) What happens if the offices of a covered entity are...
July 30th, 2009 | Tags: , | Category: Identity Theft, Privacy | Leave a comment Print This Post Print This Post

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Improve the web with Nofollow Reciprocity.