I've written about the HITECH Act and the data breach notification rule it adds to the Health Insurance Portability and Accountability Act a few times now. But something came across my desk this morning worth mentioning again.
Rebecca Hall at Realtime Community points out that the data breach notification rule promulgated by the U.S. Department of Health and Human Services pursuant to the HITECH Act even applies to individuals the covered entity (hospital, clinic, pharmacy, etc.) knows to be deceased.
In other words, if a breach occurs and the protected health information of a deceased person is put at risk thereby, the covered entity is required to notify the deceased person's "next of kin or personal representative." Hall says, "Many organizations will not think of this, because this is not a stipulation within many/most of the other 48 state and territory laws."
The HHS rule has been published in the Federal Register for public comment and is available online in a PDF version.