Personal Health Information and the Department of Health and Human Services

How safe is your personal health information?  Two studies by the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) point out perceived deficiencies in the way Americans’ health information is protected and secured under the Health Insurance Portability and Accountability Act (HIPAA).  The reports, made public in October 2015, target the audit process and lay out plans to revamp the audit program in early 2016.

Protected health information (PHI) includes a patient’s name, age, gender, prognosis, and payment for treatment.  This information, whether communicated orally, electronically, or in written form, when handled by health care providers, [...]


World Privacy Forum’s Medical Identity Theft Map

This article introduces the World Privacy Forum’s (WPF) medical identity theft map, an interactive map that locates medical identity theft complaints collected from 2008-9 by the Federal Trade Commission. The article also provides a definition of “medical identity theft,” as well as resources for victims of medical ID [...]


Health Information Technology for Economic and Clinical Health Act (HITECH)

Prior to the HITECH (Health Information Technology for Economic and Clinical Health) Act, there were many cases in which patients’ private and confidential information was compromised without knowledge of the health care provider. These data breaches led to legal complications, damage to the brand image and loss of clientele.

What is the HITECH Act?

Enacted on February 17, 2009, the HITECH Act ensures the privacy and security of patient health information. As part of the American Recovery and Reinvestment Act (ARRA) of 2009, the HITECH Act made significant changes to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Particularly, the [...]


ARRA: Implementation Challenges

This article takes a look at some of the difficulties involved in implementing the privacy and security requirements introduced by the American Recovery and Reinvestment Act (ARRA) of 2009. The ARRA privacy provisions that created the most worry amongst health care organizations nationwide are: 1) Breach notification; 2) Accounting for disclosure; 3) Out-of-pocket payments; and 4) Electronic copies of electronic health records. This article explores each of these [...]


Protecting the Confidentiality of Personally Identifiable Information (SP 800-122)

SP 800-122, a special publication released in April 2010 by the US National Institute of Standards and Technology (NIST), is a resource for those responsible for assessing privacy and designing and implementing privacy controls within information systems and business processes. This article offers a brief introduction to the key concepts and important elements of this publication.

Major Recommendations

The SP 800-122 aims to provide usable guidelines for a risk-based approach to protecting personally identifiable information (PII), particularly in US federal government agencies and their business associates. To this end, the publication makes the following recommendations:

Organizations should identify all PII that resides in [...]