The American Recovery and Reinvestment Act (ARRA), signed by President Obama in February of 2009 makes billions of dollars available to the healthcare industry to modernize its information technology systems. But that money, as is generally true of government funding, has strings attached. Along with all the new equipment will come requirements to keep secure the data on that equipment.
Part of the ARRA is called the Health Information Technology for Economic and Clinical Health (HITECH) Act, and it creates new requirements for data security and notifications if that security is compromised. At the state level, 44 states have some sort of data breach notification laws pertaining to a variety of types of information and breach scenarios. While there is no federal law regulating the security of medical data, there will be by August 17th, 2009, the date that ARRA requires the law to be implemented. If you thought you weren't a covered entity, you should probably ask your lawyers to re-evaluate that notion based on the new law.
Once More Unto the Breach...
Broadly defined, a breach is an unauthorized access of protected private health information wherein the privacy or security of that information is compromised. There is language in HITECH that delineates exceptions to that rule, so if you are not sure a breach has occurred, try applying the Potter Stewart test. In the immortal words of Supreme Court Justice Potter Stewart in the case of Jacobellis v Ohio, when ruling on whether a movie was pornographic, he said pornography was hard to define, but “I know it when I see it.” So will you.
If you and your lawyers̶and you will need lawyers̶conclude that a breach has occurred, you will have to notify every affected person individually. If they are deceased, then next of kin must be notified. If there is an imminent risk of the compromised data being misused, notification must be as expedient as possible, by telephone or other immediate means. If more than 500 people are affected, you must now also notify the Department of Health and Human Services.
He Ain't Covered, He's a Business Associate
The HITECH Act also changes another fundamental aspect of HIPAA. The rules now also apply to business associates that do business with a covered entity. The rough definition of a business associate in this context will be any organization that “provides data transmission of protected health information and requires access to such information on a routine basis.” Examples include health information exchanges and regional health information networks.
So if you weren't a covered entity under HIPAA until now, you may have become one. At the risk of being repetitive, check with your attorneys. The cost of non-compliance can be substantial, not just in the cost of a notification (which can exceed $200 per record), but also because HITECH increased potential civil penalties.
Head For Safe Harbor
But the good news is, HITECH also created a safe harbor. If you encrypt your data, you may not be subject to these increasingly expensive notification requirements. If you use encryption to render your data “unusable, unreadable, or undecipherable” to unauthorized users, you may not be subject to the new notification requirements. If you are protecting data at rest, that encryption method must be consistent with NIST special publication 800-111 and if you are concerned with data in motion, then your encryption must be certified as FIPS 140-2 compliant. So not only does encryption save you the breach to begin with, it shows that you have made efforts to protect those records, which the government evidently feels is worth rewarding.
While HITECH became law in February of 2009, all the details have yet to be cast in stone. Various provisions are still being debated and fine-tuned, and various provisions will be going into effect during the remainder of 2009 and into 2010.
| 
