DATA SECURITY: COMPLIANCE WITH THE NEW HIPAA SECURITY RULE IS NOT ENOUGH
By Cameron B. Shilling and Neil B. Nicholson
Neil B. Nicholson
Cameron B. Shilling
The government’s attempt to keep pace with racing technology has triggered substantial requirements on healthcare providers and other HIPAA covered entities to safeguard protected health information (“PHI”). Two months ago, the American Recovery and Reinvestment Act (“ARRA”) augmented these requirements to include individual and regulatory notice in the event of a data security breach. In addition to HIPAA and the ARRA, almost every state has enacted data security laws that require all business entities, including HIPAA covered entities, to protect “personal information,” which is not the same as PHI. Compliance with HIPAA and ARRA is usually not enough to comply with State laws and regulations designed to safeguard this “personal information.”
The HIPAA privacy rule prohibits disclosure of PHI without patient authorization. Building on the privacy rule, HIPAA’s security rule is designed to reduce unauthorized access to electronic PHI. To comply with the HIPAA security rule, covered entities must act reasonably and appropriately to safeguard the confidentiality of electronic PHI. At a minimum, this necessitates frequent review and potential modification of security policies and procedures.
The ARRA took the HIPAA security rule one step further, requiring notification in the event of a data breach. If unauthorized access, use or disclosure of PHI occurs, the ARRA mandates that a covered entity and its business associates notify each affected individual and the United States Department of Health and Human Services Secretary of the breach. The Department will post the breach on its public website. E-mail or media notice is allowed under certain circumstances, and in all instances notification must occur within 60 days of discovery of the breach, unless delay is authorized by law enforcement due to an active investigation. Specific content must be provided in the notification, including a brief description of the breach, the covered entity’s investigation, and how the affected individuals can learn more detail about the breach.
Beyond compliance with HIPAA’s security rule, privacy rule and the ARRA, State laws and regulations require businesses to protect a patient’s “personal information,” which is not the same as PHI. “Personal information” typically is defined broadly, as it is in Massachusetts as follows: “a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.”
Like the notification requirements in ARRA, States require notification if a breach occurs. State notification, however, is more burdensome than the ARRA because each State’s notification law is specifically designed to protect that State’s residents. Therefore, a breach of data security (e.g., unauthorized access to patients’ names and credit card numbers) involving residents from four different States requires notification to each individual patient and each States’ Attorney General or other chosen regulatory agencies in each State where a patient resides. For example, notice of a data breach involving a Massachusetts resident is directed to the Department of Consumer Affairs and Business Regulation, but notice of a data breach involving a New Hampshire resident is directed to the NH Attorney General. Healthcare providers must know in advance to whom and when notification must be given, because notice must occur within certain timeframes, which vary by State. Even a small scale data breach could involve residents from several States requiring particular notice to each State.
Moreover, many States are now implementing comprehensive regulations to thwart data security breaches and avoid the fallout of a data breach notification. These regulations are even more onerous than the notification laws. For instance, Massachusetts’ regulations require every person who owns, licenses, stores or maintains “personal information” about a Massachusetts resident to create and implement a comprehensive Written Information Security Plan (“WISP”) by January 1, 2010. Covered HIPAA entities in New England likely store or maintain personal information about Massachusetts residents. Accordingly, such entities must create a WISP that (1) identifies reasonably foreseeable risks to the security of personal information; (2) evaluates the sufficiency of existing policies and control mechanisms; (3) implements policies to minimize those risks; (4) provides for regular monitoring of their effectiveness; and (5) coordinates employee training. Massachusetts’ regulations are some of the most aggressive and detailed yet created and will likely be a template for other States to follow.
Failure to comply with the Massachusetts regulations paves the way for potential civil liability and civil sanctions. Healthcare providers should act now to develop and implement the WISP and develop protocols for ARRA compliance.
Cameron G. Shilling is a shareholder and Neil B. Nicholson is an associate at the law firm of McLane, Graf, Raulerson & Middleton, P.A. McLane is the largest law firm in New Hampshire, with offices in Manchester, Concord, and Portsmouth, NH, as well as Woburn, MA.
Cam can be reached at 603-628-1351 or cameron.shilling@mclane.com.
Neil can be reached at 603-628-1483 or neil.nicholson@mclane.com.
