There’s a new list in town, and it’s one of “those” kinds of lists. The kind nobody wants to appear on. It’s similar to being on Santa Claus’ naughty list, only in this case inclusion could mean millions of dollars in fines for a business responsible for breaching personal health information (PHI).

The days of “a lump of coal in the stocking” are certainly over.

The HITECH Act of 2009, one intent of which was to add more teeth to data security requirements for healthcare information, included a provision in section 13402(e)(4) requiring the Secretary of the U.S. Department of Health and Human Services to post a list of data breaches of unsecured protected health information affecting 500 or more individuals.

We might call these the “mega-breaches” or, that is, at least the serious breaches that affect many people.

A couple of important details are worth noting, about the HITECH Act of 2009. First, if a breach affects fewer than 500 people in one state, a breaching organization does not have to contact the media (though one of the victims certainly might). The organization does have to contact each breached individual, however, to notify of the breach. Second, the rules apply to unencrypted PHI. Encrypting the data, as always, is mitigation of the risk and turns a “breach” into a “non-event.”

Encrypting data, such as with MyLaptopGPS’ FIPS-certified strong encryption for data-at-rest, is the key difference between a major PR disaster (and regulatory nightmare), and a sigh of relief.

And now for The Bad List (click to view at HHS’ website).