Kroll Cyber Security Blog – A Dialogue on Data Security

In the previous segments of this series, we introduced two recent federal regulations that are poised to have a significant effect on the health care industry – the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Identity Theft Red Flags and Notices of Address Discrepancy (Red Flags Rule).

As the previous segments discussed, both HITECH and the Red Flags Rule establish new and complex regulatory requirements. Without a doubt, the best defense against regulatory fever is prevention through proactive planning. However, this is certainly easier said than done. While the regulatory framework of HITECH and the Red Flags Rule are complex, perhaps the most troubling aspect is the emerging IT market structure and its interplay with the new regulations.

In the absence of federal action, many states have taken the initiative to address data breaches with their own notification laws. However, to avoid multiple notifications and conflicting obligations, both the Health and Human Services (HHS) and the Federal Trade Commission (FTC) rules expressly preempt state laws to the extent they conflict with federal requirements. State laws with greater notification requirements are not considered in conflict, though, and must be followed in addition to all federal requirements.[1] To avoid duplicative notifications, the federal government strongly recommends that entities strive to meet federal and state obligations in concert.

In the last segment, we introduced two recent laws that have significantly increased the regulatory compliance obligations of the health care industry – the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Identity Theft Red Flags and Notices of Address Discrepancy (Red Flags Rule). As the Office for Civil Rights (OCR) reporting website demonstrates, the impetus for these new data breach regulations clearly has not been overstated. HITECH requires the OCR to post PHI breaches involving more than 500 individuals, and since the rule went into effect in February of 2009, 288 incidents have been reported, four of which involve over 1 million individuals. With the threat of data breaches clear and regulatory fever now in full swing, it is important to understand the specific requirements and implications of these new laws on the health care industry.

Flu season may be over, but for the health care industry, a more troublesome and persistent threat is just warming up. Regulatory fever, a common side effect of an ailing economy, is now nearly in full swing. Beginning with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, ensuring privacy and security of patient information in the health care industry has been a primary concern for legislators over the past decade and a half. The HIPAA Privacy Rule extends federal protection to personal health information held by covered entities, and is fulfilled by the Security Rule, which prescribes the use of security safeguards to ensure confidentiality is maintained.[1] While HIPAA was a significant step forward in the security of personal health information management, two new regulations are raising the bar even higher in an effort to integrate and benefit from advancements in information technology.

Determining whether or not your third party provider should be classified as a Business Associate (BA) according to HIPAA is not always a clear cut issue. Case in point: Authors Adam Greene and Michael Sloan of Davis Wright Tremaine recently published a legal advisory warning that Covered Entities (CEs) need to look closely at whether or not their telecommunications and internet service providers should be classified as BAs due to incidentally maintaining PHI on behalf of a CE using the service.