Commentary: Stimulus Bill and Healthcare Privacy - Analysis

New ARRA measures could mean big changes in HIPPA enforcement, but how much will they actually be enforced? (Credit:Plex/SXC)

Rafal Los, security researcher and advocate, recently posted his thoughts on the HIPAA Privacy and security measure as described in the American Recovery and Reinvestment Act of 2009 (ARRA). You may know ARRA better by the name “The Stimulus Package”, but however you name it, the act itself has some interesting measures when it comes to HIPPA enforcement, policy, and repercussions for not following government mandates.

The Tech Herald looked over Rafal’s thoughts, and after reading some of the ARRA wording, agrees with his logic for the most part, but the policies are still lacking something of substance.

For example, while guidelines in the ARRA sections dealing with HIPAA force an “Annual Guidance” check, to ensure compliance is maintained, the wording is weak.

“ANNUAL GUIDANCE.—For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary of Health and Human Services shall, in consultation with industry stakeholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date before the enactment of this Act.” – ARRA, Health and Insurance, page 169

It’s great to ensure the proper tools and protections are being used, but who will pick what works and what doesn’t? Will this be based on disclosed breaches?

How the act defines the term breach is another sticking point for Rafal, who comments, “Immediately I am struck with the marked distinction between what is an unauthorized disclosure and what is not. If you notice, the definition of what it is - is one sentence - while the definition of what it isn't is the rest of the long paragraph.”

“(1) BREACH.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security, privacy, or integrity of protected health information maintained by or on behalf of a person. Such term does not include any unintentional acquisition, access, use, or disclosure of such information by an employee or agent of the covered entity or business associate involved if such acquisition, access, use, or disclosure, respectively, was made in good faith and within the course and scope of the employment or other contractual relationship of such employee or agent, respectively, with the covered entity or business associate and if such information is not further acquired, accessed, used, or disclosed by such employee or agent.” - ARRA, Health and Insurance, page 164

The phrasing, “…unintentional acquisition, access, use, or disclosure…” when paired with “…employee or agent of the covered entity or business associate involved if such acquisition, access, use, or disclosure, respectively, was made in good faith and within the course and scope of the employment or other contractual relationship…” seems to contradict the entire reason to define breach.

If the breach of protected information was “unintentional,” how does this forgive sending medical records or notices to the wrong person? How would this “unintentional” violation of HIPPA deal with printed medical records just thrown away without being shredded? If a cleaning crew simply tosses out a stack of medical documents, because they were in the trash pile, then that is a violation of HIPPA.

However, according to the wording of the act, because the cleaning crew was acting in good faith as an agent of the medical office, and the person who forgot to shred the documents did not do so intentionally, then they are excused. How is that supposed to work?

When asked his opinion on how the term "breach" was defined, Byron Acohido, security journalist and owner of, said, "I'm not a lawyer. But it seems to me, whoever drafted this went to great lengths to leave a ton of wiggle room for certain parties who routinely handle health data to sidestep culpability for any data breaches. It would be interesting to see who was at the table when the authors of this definition decided what "breach" does NOT constitute."

“(c) BREACHES TREATED AS DISCOVERED.—For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate, respectively) or should reasonably have been known to such entity or associate (or person) to have occurred,” - ARRA, Health and Insurance, page 170

As pointed out by Rafal, this section leaves one to wonder, “…if a hacker reports the breach to authorities, after successfully stealing medical records, it isn't considered "discovered" until someone at the entity acknowledges it!?”

Again, while the wording attempts to express that the second a breach is noticed by someone at the medical office, as long as they are employed there, then the breach is official and considered discovered under law. However, the actual phrasing of this section seems to only help those who want to avoid the shaming and fines offered in the act as punishments.

The act says that once a breach is discovered, the entity, or sticking with the example of a medical office, has sixty days to notify those who are involved in the breach. Notices to individuals have to be written, or if there is no current contact information available, electronic. Electronic notices can be on a public Web site for the medical office (assuming they have one) or major print and broadcast media.

The notice rule regarding the media leads to the public shaming punishments offered by the act.

“(2) MEDIA NOTICE.—Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.” - ARRA, Health and Insurance, page 173

The problem with this section is the minimum limit. This is why smaller breaches, which still make up a decent number of post-information disclosure related crimes, are often never known to the public. You see this in the financial sector more often, but it has happened in the medical world as well.

While notice of the breach if it is 500 people or more has to be given to the Secretary of Health and Human Services instantly, the medical office can opt to disclose the smaller breaches in an annual report, which is just useless paper shuffling. The reason for it being useless is that the Sectary only has to post a public notice to the Depart of Health and Human Services (HHS) Web site if the breach affected 500 or more people. The smaller ones are still left ignored. The report the Secretary has to make to Congress each year likewise ignores the smaller breaches.

There is a strong plus to the act when it comes to how information is to be used Rafal explained, “Page 181 also struck me as important because it identifies, for the first time that I have seen, that data taken and kept should be the minimum required to accomplish a task... this is a giant leap forward and actually seeks to lay out that only data sets that are absolutely needed must be used, whereas currently I see entities keeping way more information than they could possibly need. While I think this will be difficult to define, it is certainly a necessary first step.”

This is a great point, as this could shape the types of information collected as well. Even today you are required to fill out HIPAA forms with information that isn’t related to why you are at the doctor’s office or relate to treatment. Where does this information go and why is it collected? This could also go a long way in shaping how electronic medical records are stored.

When it comes to fines, there is a bit of a snag in the process. Fines can range from as little as $100.00 USD, hitting a high of $50,000.00 USD. The cap is $1.5 million.

“In the case where an entity has a very serious case of the HIPAA non-compliance blues, and can convince the auditor that they've done what is considered due care or due diligence ... while spending as little actual time, money and resources as possible - it may very well end up being less expensive to simply pay the resulting fines than to have actually good security protections in place. Even in the worst-case scenario where willful neglect is proven (and let's face it, that's nearly impossible without an internal whistle-blower) the maximum fine is only $1.5MM... while the costs of associated security technologies, manpower, and process improvement may run well into 10x that cost,” Los said.

The measures that are listed in the act are a great start in managing HIPPA and protecting a person’s medical information. However, there is a still some work to be done. The real measure of this act’s effectiveness will be when it comes to enforcement.

Listing rules and harsh penalties is one thing, backing them up with decisive enforcement is another, assuming that things actually change one way or another. After all, until this act starts being enforced, for the time being it's business as usual.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]