Entities regulated by HIPAA (Health Insurance Portability and Accountability Act) and recent updates in HITECH (Health Information Technology for Economic and Clinical Health Act) are subject to extensive data security requirements, and some states impose further security requirements. Regulations apply to “covered entities” such as doctors, hospitals, insurers, pharmacies and other health-care providers, as well as their “business associates” which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity. “Protected health information” under HIPAA generally includes any personally identifiable information collected by or on behalf of the covered entity during the course of providing its services to individuals.
HIPAA requires public notification for breaches. However, the loss of adequately encrypted data is not generally considered a breach and is exempt from notification requirements.