In her Realtime IT Compliance blog, Rebecca Herold posted an article about the implications of the FTC’s Health Breach Notification Rule.
As usual, it’s probably going to take a while for the dust to settle so that we can understand the full implications of the rule. But Rebecca noted one fascinating aspect – security breaches involving the Personal Health Information of individuals that the organization knows to be deceased must be notified to the deceased’s next of kin or personal representative.
I don’t think I’ve come across a requirement like this before, and it’s not clear what implications this will have for record retention policies and associated training.
