Although there is no monetary penalty, the settlement requires 20 years of security program evaluation by a certified third party. The company has agreed to implement a number of steps to protect the patient data it handles. In addition to employee training programs, the company must implement risk assessment and prevention and detection programs to protect data from breaches. For the risk of data breaches from insiders, or those posing as insiders, proactive detection is available as low-cost on-demand SaaS analytics services.
"...settlement is an important reminder that the [HHS] Office for Civil Rights is not the only game in town when it comes to enforcement of health information privacy and security."The FTC can initiate health data breach investigations, or do so based on referrals by agencies such as the Department of Health and Human Services (HHS). "The FTC commonly issues breach investigation settlements that include corrective actions aimed at having organizations better protect consumer's personal information," says Allison Lefrak, FTC attorney.
- Adam Greene, Privacy Attorney, Davis Wright Tremaine.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) Accretive Health Breach: FTC Settlement - www.GovInfoSecurity.com, 01/02/2014