Blogger: Eric Maiwald
The latest US Federal Government stimulus package included new rules for health information. You can read the details in the American Recovery and Reinvestment Act of 2009 (see page 144 or search for HITECH).
According to the law, physicians will now be required to track a patient’s medical information anytime it is disclosed to a third party – even if the patient has given permission for that disclosure. While this provision does not go into effect until January 1, 2014, patients will have the right to request disclosure information from up to three years in the past. That seems to make it a requirement that the disclosures be tracked from 2011.
While the tracking provision will cause medical institutions to incur additional costs, the breach provisions of the act may be of greater concern. The act is similar to state laws that require disclosure of any breach of personal identifiable information (PII). For medical information that is breached, the medical practice will need to contact the individuals and post about a breach affecting 10 or more patients on the practice’s web site. If the breach is larger (500 patients or more) the medical practice will have to inform local media and the government.
In reading through the act, I didn’t find a specific exception for encrypted information like we have seen in many of the state PII breach notification laws but I did find that the disclosure only applies to “unsecured protected health information.” Now unsecured protected health information means “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under paragraph (2).” If the Secretary does not provide the guidance, further definition is provided so that the term will mean “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.” It seems likely that encryption will be such a technology standard.
So what does this mean? I think that over the next few years we will start to see stories in the media about lost computers belonging to hospitals and other medical practices. We will also see an increase in the use of encryption by the medical community.
This will increase the cost of the handling patients’ personal data, and that cost will be passed on to the patients. I think the Health Care Providers should be allowed to purchase the encryption solutions under General Services Administration (GSA) SmartBUY discounts to keep the costs low.
Posted by: Saqib Ali | March 22, 2009 at 08:32 PM
The emphasis in the HITECH act seems to be on confidentiality and safeguarding PII, especially when information is transmitted outside the physical boundary of the health care establishment. This level of legal protection is already being required for all health care providers doing business in the State of California.
But the HITECH act also contains a stated requirement for accuracy and an implied need for the availability of the information.
The DOD/GSA SmartBUY program has focussed on the confidentiality aspect of the problem, primarily with software-based Full Disk Encryption packages that do nothing to provide confidentiality while the data is in transit, and also does nothing to protect the data against bit-rot (or contamination by malware) in storage, or the possibility of undetected data transmission errors.
Posted by: Robert Jueneman | March 23, 2009 at 05:00 PM