Eventually a floor?

The U.S. Department of Health and Human Services published the final Health Insurance Portability and Accountability Act security standards on Feb. 13, after a rather long gestation period that in the minds of many privacy advocates included a significant watering down of the regulations.

The HIPAA regulations run about 6,500 words and were published in the Federal Register with an extended commentary detailing changes resulting from responses to earlier versions. The federal government has set up a Web site dedicated to the new rules and its interpretation.

The gist of these rules is that individuals must give their consent before medical data can be shared, except when the sharing is in support of treatment, payment or healthcare operations. In addition, the rules define security, administrative, physical, technical, organizational, documentation and policy safeguards.

In general, the rules look reasonable, but there are some funnies. For example, the use of encryption is not required for data communications, although, as the Frequently Asked Questions section puts it, “Covered entities are encouraged, however, to consider use of encryption technology for transmitting electronic protected health information, particularly over the Internet.”

If you are not a healthcare-related business, you might wonder how much this new set of rules affects you. Sure it’s good to think that your personal healthcare records might not be quite as easily accessible to random third parties, but you might think that these rules would not affect your IT-related day job. You might just be wrong – maybe not right away, but over time you could be quite wrong indeed.

I was talking to an auditor friend awhile ago about HIPAA, and he pointed out a potentially important bit of history. One thing that the U.S. court system has sought for quite awhile is a solid understanding of what should be considered “reasonable care” in the area of protecting data in a corporation. What systems, procedures and technologies would someone who wanted to protect corporate data, such as customer credit card information, employ? Until now there has not been agreement on what that should be.

But now the U.S. government has come up with guidelines that define just what a reasonable person should do to protect a particular type of data. My friend wondered if the courts, driven by plaintiff’s lawyers, would start to use these guidelines in cases involving other types of data. After all, what is described here is all well within the state of the art. Why shouldn’t it apply to all important data?

There is no way to tell if the HIPAA guidelines will wind up becoming the basic rules for data protection – a floor of the range of options, rather than the top as they are now. But for those of us who worry about protecting privacy, it might not be a bad thing if it did happen.

Disclaimer: These rules could move from being a fact of life for med school graduates and an opportunity for law school graduates to a worry for business school graduates. But I did not ask any of the schools in developing this musing.