Commentary: Stimulus Bill and Healthcare Privacy - Analysis

Rafal Los, security researcher and advocate, recently posted his thoughts on the HIPAA Privacy and security measure as described in the American Recovery and Reinvestment Act of 2009 (ARRA). You may know ARRA better by the name “The Stimulus Package”, but however you name it, the act itself has some interesting measures when it comes to HIPPA enforcement, policy, and repercussions for not following government mandates.

The Tech Herald looked over Rafal’s thoughts, and after reading some of the ARRA wording, agrees with his logic for the most part, but the policies are still lacking something of substance.

For example, while guidelines in the ARRA sections dealing with HIPAA force an “Annual Guidance” check, to ensure compliance is maintained, the wording is weak.

“ANNUAL GUIDANCE.—For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary of Health and Human Services shall, in consultation with industry stakeholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date before the enactment of this Act.” – ARRA, Health and Insurance, page 169

It’s great to ensure the proper tools and protections are being used, but who will pick what works and what doesn’t? Will this be based on disclosed breaches?

How the act defines the term breach is another sticking point for Rafal, who comments, “Immediately I am struck with the marked distinction between what is an unauthorized disclosure and what is not. If you notice, the definition of what it is - is one sentence - while the definition of what it isn't is the rest of the long paragraph.”

“(1) BREACH.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security, privacy, or integrity of protected health information maintained by or on behalf of a person. Such term does not include any unintentional acquisition, access, use, or disclosure of such information by an employee or agent of the covered entity or business associate involved if such acquisition, access, use, or disclosure, respectively, was made in good faith and within the course and scope of the employment or other contractual relationship of such employee or agent, respectively, with the covered entity or business associate and if such information is not further acquired, accessed, used, or disclosed by such employee or agent.” - ARRA, Health and Insurance, page 164

The phrasing, “…unintentional acquisition, access, use, or disclosure…” when paired with “…employee or agent of the covered entity or business associate involved if such acquisition, access, use, or disclosure, respectively, was made in good faith and within the course and scope of the employment or other contractual relationship…” seems to contradict the entire reason to define breach.

If the breach of protected information was “unintentional,” how does this forgive sending medical records or notices to the wrong person? How would this “unintentional” violation of HIPPA deal with printed medical records just thrown away without being shredded? If a cleaning crew simply tosses out a stack of medical documents, because they were in the trash pile, then that is a violation of HIPPA.

However, according to the wording of the act, because the cleaning crew was acting in good faith as an agent of the medical office, and the person who forgot to shred the documents did not do so intentionally, then they are excused. How is that supposed to work?

When asked his opinion on how the term "breach" was defined, Byron Acohido, security journalist and owner of, said, "I'm not a lawyer. But it seems to me, whoever drafted this went to great lengths to leave a ton of wiggle room for certain parties who routinely handle health data to sidestep culpability for any data breaches. It would be interesting to see who was at the table when the authors of this definition decided what "breach" does NOT constitute."

“(c) BREACHES TREATED AS DISCOVERED.—For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate, respectively) or should reasonably have been known to such entity or associate (or person) to have occurred,” - ARRA, Health and Insurance, page 170

As pointed out by Rafal, this section leaves one to wonder, “…if a hacker reports the breach to authorities, after successfully stealing medical records, it isn't considered "discovered" until someone at the entity acknowledges it!?”

Again, while the wording attempts to express that the second a breach is noticed by someone at the medical office, as long as they are employed there, then the breach is official and considered discovered under law. However, the actual phrasing of this section seems to only help those who want to avoid the shaming and fines offered in the act as punishments.

The act says that once a breach is discovered, the entity, or sticking with the example of a medical office, has sixty days to notify those who are involved in the breach. Notices to individuals have to be written, or if there is no current contact information available, electronic. Electronic notices can be on a public Web site for the medical office (assuming they have one) or major print and broadcast media.

The notice rule regarding the media leads to the public shaming punishments offered by the act.

“(2) MEDIA NOTICE.—Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.” - ARRA, Health and Insurance, page 173

The problem with this section is the minimum limit. This is why smaller breaches, which still make up a decent number of post-information disclosure related crimes, are often never known to the public. You see this in the financial sector more often, but it has happened in the medical world as well.

While notice of the breach if it is 500 people or more has to be given to the Secretary of Health and Human Services instantly, the medical office can opt to disclose the smaller breaches in an annual report, which is just useless paper shuffling. The reason for it being useless is that the Sectary only has to post a public notice to the Depart of Health and Human Services (HHS) Web site if the breach affected 500 or more people. The smaller ones are still left ignored. The report the Secretary has to make to Congress each year likewise ignores the smaller breaches.

There is a strong plus to the act when it comes to how information is to be used Rafal explained, “Page 181 also struck me as important because it identifies, for the first time that I have seen, that data taken and kept should be the minimum required to accomplish a task... this is a giant leap forward and actually seeks to lay out that only data sets that are absolutely needed must be used, whereas currently I see entities keeping way more information than they could possibly need. While I think this will be difficult to define, it is certainly a necessary first step.”

This is a great point, as this could shape the types of information collected as well. Even today you are required to fill out HIPAA forms with information that isn’t related to why you are at the doctor’s office or relate to treatment. Where does this information go and why is it collected? This could also go a long way in shaping how electronic medical records are stored.

When it comes to fines, there is a bit of a snag in the process. Fines can range from as little as $100.00 USD, hitting a high of $50,000.00 USD. The cap is $1.5 million.

“In the case where an entity has a very serious case of the HIPAA non-compliance blues, and can convince the auditor that they've done what is considered due care or due diligence ... while spending as little actual time, money and resources as possible - it may very well end up being less expensive to simply pay the resulting fines than to have actually good security protections in place. Even in the worst-case scenario where willful neglect is proven (and let's face it, that's nearly impossible without an internal whistle-blower) the maximum fine is only $1.5MM... while the costs of associated security technologies, manpower, and process improvement may run well into 10x that cost,” Los said.

The measures that are listed in the act are a great start in managing HIPPA and protecting a person’s medical information. However, there is a still some work to be done. The real measure of this act’s effectiveness will be when it comes to enforcement.

Listing rules and harsh penalties is one thing, backing them up with decisive enforcement is another, assuming that things actually change one way or another. After all, until this act starts being enforced, for the time being it's business as usual.

Like this article? Please share on Facebook and give The Tech Herald a Like too!