Healthcare providers and others handling sensitive patient data are now finding the stakes raised if they suffer a data breach because of a new law known as the "Health Information Technology for Economic and Clinical Health Act," or HITECH Act.
Passed by Congress in February, the HITECH Act is now coming into enforcement by the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC), which each have been given a role to play under the law, potentially levying punishments and fines on organizations that stumble in protecting personal health information.
Depending on whether a data breach arises from a simple mistake to willful theft, fines will range in tiers from as low as $100 per violation for a slip-up regarding unencrypted data to $1.5 million or more for knowingly and willfully violating the data-breach rules, say those familiar with the HITECH Act.
"Under the HHS rule, you have to figure out if you had a data breach," says Rebecca Fayed, attorney-at-law firm Sonnenschein, Nath & Rosenthal's healthcare group division in Washington, D.C.. But the new rules, which cover both electronic and paper formats, are far from simple.
The HITECH Act, devised by Congress primarily to address electronic medical records, is being noted for its impact in adding a tough data-breach notification requirement to the long list of long-existing Health Information Portability and Accountability Act (HIPPA) security and privacy rules.
Like HIPAA, the HITECH Act covers healthcare providers, insurers, clearinghouses and also business associates handling personal information about patient health, as well as other protected information, including name, Social Security number, address and insurance account numbers.
Fayed says there's often the misperception that the HITECH Act will require public disclosure of any data breach of unencrypted personal health information (PHI) but the fine print actually says the data breach has to have impacted at least 500 people in one state. "Then you have to notify the media," she says. If the data breach "is only five people, HHS doesn’t want you calling them," though you will have to inform the individuals impacted.
And it appears there's no need to report an employee unintentionally accessing a record by mistake in the course of doing his job. A lot of the talk about HITECH is centering on encryption because the breach notification only applies to "unsecured PHI," Fayed says. The HHS guidelines set forth two basic ways to secure that data, "encryption" for electronic data and "destruction" applied as a means to destroy electronic data or paper.
When it comes to encryption and stored data security, guidelines from the National Institute of Standards and Technology are referenced, including NIST’s FIPS 140-2 for certification of encryption products. Though encryption isn't mandatory under HITECH Act, just by bringing encryption technology into the discussion of a data breach the federal government is raising the bar about what's implied about best practices, Fayed notes.
So, the bottom line is the HHS-issued guidelines, now an interim final rule that went into effect Sept. 23 (though it won't be enforced until February 2010 by the office of civil rights at HHS), is a game-changer.
Wes Rishel, vice president and distinguished analyst at Gartner, calls the HITECH Act ground-breaking.
"This is the first time there's been a federal regulation for data breach," Rishel says. It changes the balance in terms of security and puts an emphasis unknown before on encryption because a data breach of encrypted data is not going to have to be reported.
Although there are now far fewer known instances of data breaches involving PHI than credit cards, for example, it doesn't mean that these cases don't happen, many say.
Fraud involving stolen patient healthcare data, primarily Medicare/Medicaid identity theft for making money off submitting fraudulent claims, is not uncommon, Fayed says. "The reason you haven't heard about these is because people haven't had to report these yet," she says.
The HITECH Act has more healthcare providers crafting encryption strategies.
"They should be deploying encryption," says Forrester analyst Noel Yuhanna. But encryption use to protect stored data is not typical today among HIPAA-regulated organizations and they are going to be struggling to encrypt and decrypt effectively among business partners. "Encryption can create a big mess, too."