Anecdotally, those of us who interact with the healthcare industry on a daily basis from a privacy and security perspective have known for a long time that the industry was woefully behind other industries (e.g. online banking). Therefore, it doesn't come as much of a surprise to learn from experts that the healthcare industry is the most easily hacked (e.g. according to this expert the retail industry is in better shape).
Privacy and security are simply NOT top priorities for most providers. Granted the industry has its "hair on fire" at the moment with a 150 years of changed rolled into 10, but that's not the real issue. The real issue is that the industry, en masse, fails to understand that what is required is a culture of compliance (i.e. compliance built into the day-to-day operations of existing and future business models). Until top executives realize the import of culture nothing of significance will change. The industry will simply roll from breach-to-breach, blind and oblivious, continously whining about being over regulated.
Europe has long led the world in creating privacy rules. Soon, Europe will likely make it a requirement for all companies with over 250 employees to appoint a Data Protection Officer (DPO).
First of all, let me start by saying that this post has nothing (directly) to do with HITECH/HIPAA. Google's Global Privacy Counsel is writing about a change to the Privact Law in EU. There are no similar laws (i.e.requiring a DPO) pending in the U.S. (at least none that I am aware of).
This post is about the rising awareness of the importance of Privacy (and its twin sister Security) to global business enterprises, and depending on where the enterpirse is domiciled, to businesses in general. It is about an inflection point that has been occurring over the last decade, but clearly accelerating over the last five years, about how we think about these issues.
The takeaway for the healthcare
industry is that it's a brand new day. We
are NEVER going back to the days when
HIPAA was a paper tiger, a law on the
books that the industry barely paid
attention to.
The "we" here is the global "we." However the U.S. "we," although never paying as much attention to Privacy and Security as our European counterparts, are nonetheless moving in that direction. The global communications infrastructure called the Internet, where most of us live, work and play, is simply too important a part of the global economy for Privacy and Security to continue taking a back seat. It's not going to happen.
The take away for the healthcare industry is that it's a brand new day. We are NEVER going back to the days where HIPAA was a paper tiger, a law on the books that the industry barely paid attention to.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
The Obama administration on Thursday will unveil a consumer privacy "bill of rights" that aims to give web users more control over how their personal information is collected and used online.
If you think that Washington is not paying attention to privacy and security issues then you are asleep at the wheel. Expect to see major consumer privacy legislation introduced this year. What does this mean with respect to HITECH/HIPAA compliance? Everything.
The time is running short for those
diehards that continue to believe
that this privacy and security obsession
will pass. It won't!
The two industries historically the most regulated in the US with respect to privacy and security are the financial services industry and healthcare (lagging). If the issue of pivacy/security (online or otherwise) is start to loom large across industries, then you can bet that there will be little room for tolerance with respect to non-compliance in healthcare. The bottom line is that the world has changed and the healthcare industry has not place left to hide. Many of us have been beating this horse to death and at long last it looks like the industry is starting to pay attention. It really doesn't have a choice.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
The HIT Exchange November/December Issue has an excellent article entitled "HIPAA at 15: Promise and Peril." The reality however, is that HIPAA is in its infancy, barely a toddler, born under the HITECH Act and just now starting to crawl, at least with respect to privacy and security.
It's no secret that prior to the HITECH Act HIPAA was an unenforced paper tiger. Sure, there was general awareness of some of the "basics" of the Privacy Rule, but beyond that, it was largely ignored (which is true for almost all laws that go unenforced).
As cliched as this may sound, it
really is a brave new 24/7 365
Twitter/Facebook world that we now
inhabit ... simpy not your daddy's
HIPAA anymore.
What's changed? It's not hyperbole to say that the entire healthcare industry is now undergoing dramatic change, and certainly the Internet's globalization has made privacy and security a "top of mind" issue for consumers, policy makers, and thought leaders. As cliched as this may sound, it really is brave new 24/7 365 Twitter/Facebook world that we now inhabit.
We are only now starting to understand the implications of this new world and the forces that drive it. This is not your daddy's HIPAA any more.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
Here are some of the relevant timelines for HITECH/HIPAA compliance. Refer to the Subtitle-D table of contents below for a quick reference to the respective sections.
HITECH enactment (February 17, 2009) Tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410).
180 days post enactment (August 17, 2009) HHS and the FTC will promulgate interim regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA (i.e. because generally the organization that produces the PHR is not a "covered entity") or business associate agreements (Section 13402, 13407).
24 months post-enactment (February 17, 2011) HHS clarification regarding ability to pursue civil penalties when criminal penalties are not pursued (Section 13405).
36 months post-enactment (February 17, 2012) HHS is obligated to establish regulations that will allow individuals harmed by privacy and security violations to receive a percentage of any HHS monies collected related to civil fines regarding such violations.
DIVISION A: TITLE XIII—HEALTH INFORMATION TECHNOLOGY
Sec. 13403. Education on health information privacy.
Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.
Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format.
Sec. 13406. Conditions on certain contacts as part of health care operations.
Sec. 13407. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities.
Sec. 13408. Business associate contracts required for certain entities.
Sec. 13409. Clarification of application of wrongful disclosures criminal penalties.
The Red Flags Rule applies to “financial institutions” and “creditors.” The Rule requires you to conduct a periodic risk assessment to determine if you have “covered accounts.” You need to implement a written program only if you have covered accounts.
It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit groups and government agencies are “creditors” under the Rule. The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.
There are at least some eCommerce sites that would qualify as "creditors" but most, like almost all non-profits, do not think of themselves as such. For more information and guidance regarding the Rule click here. If you are still confused, then you are best advised to contact a Privacy & Data Security Lawyer..
