Blogger: Eric Maiwald
The latest US Federal Government stimulus package included new rules for health information. You can read the details in the American Recovery and Reinvestment Act of 2009 (see page 144 or search for HITECH).
According to the law, physicians will now be required to track a patient’s medical information anytime it is disclosed to a third party – even if the patient has given permission for that disclosure. While this provision does not go into effect until January 1, 2014, patients will have the right to request disclosure information from up to three years in the past. That seems to make it a requirement that the disclosures be tracked from 2011.
While the tracking provision will cause medical institutions to incur additional costs, the breach provisions of the act may be of greater concern. The act is similar to state laws that require disclosure of any breach of personal identifiable information (PII). For medical information that is breached, the medical practice will need to contact the individuals and post about a breach affecting 10 or more patients on the practice’s web site. If the breach is larger (500 patients or more) the medical practice will have to inform local media and the government.
In reading through the act, I didn’t find a specific exception for encrypted information like we have seen in many of the state PII breach notification laws but I did find that the disclosure only applies to “unsecured protected health information.” Now unsecured protected health information means “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under paragraph (2).” If the Secretary does not provide the guidance, further definition is provided so that the term will mean “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.” It seems likely that encryption will be such a technology standard.
So what does this mean? I think that over the next few years we will start to see stories in the media about lost computers belonging to hospitals and other medical practices. We will also see an increase in the use of encryption by the medical community.