Health care related businesses have only two more days to prepare a data breach notification plan. A new rule requiring that health care providers, insurers and clearinghouses must notify individuals whose information has been inappropriately accessed goes into effect September 23.

Additionally, the data breach notification rule applies to any business associates of any entity covered by HIPAA.

The notification is to be made “as soon as reasonably possible,” but in most cases within 60 days of discovery. An exception to this provision is made if law enforcement requests a delay, a common occurrence when an investigation is ongoing, particularly if the breach appears to affect a large number of people or is part of a larger scam.

However, even if notification takes place within 60 days, but the Department of Health and Human Services (HHS) could determine the covered entity failed to meat the provision if notification could have been made sooner.

If the breach involves 500 or more people, HHS and the media have to be notified. All other smaller breaches should be reported annually.

Another exception to the rule is encrypted or destroyed information. If a hacker breaks into a server or database that the health care entity has taken measures to adequately protect, the entity is off the hook and doesn’t have to make any notification.

Data breach is defined as “the acquisition, access, use or disclosure of protected health information in a manner not permitted (by the HIPAA Privacy Rule) that compromises the security or privacy of the protected health information” or that means a “significant risk of financial, reputational or other harm to the individual.”

The rule is part of an alphabet soup of new legislation. It applies to any entity covered by the Health Insurance Portability and Accountability Act (HIPAA), and is part of the new Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009 (ARRA).

More than 1,000 current and former Massachusetts prison employees are at risk of identity theft—and more—after their names, home addresses, phone numbers, dates of birth and Social Security numbers were exposed in a data breach.

Francis Janosko used his time as a prisoner at the Plymouth County Correctional Facility to hack into the prison’s computer network and reconfigure it to allow other inmates to access the employees’ information, according to a grand jury indictment.

Inmates at the Plymouth prison are allowed computer access to perform legal research, but were not given access to the Internet, e-mail or the prison network.

Janosko was arrested in North Carolina last week following an FBI investigation and charge with intentional damage to a protected computer and aggravated identity theft. If he is convicted, the computer charge carries a fine of up to $250,000; the aggravated identity theft charge could result in a two-year prison sentence.

Janosko was serving time in the Massachusetts prison after police found pictures of nude children on his cell phone. It was the third time he was charged with child pornography. The state of Massachusetts has had Janosko listed as a high-risk sex offender since 2005.