Rafal Los makes some very good points in his post “Analysis of the Stimulus Bill and Healthcare Privacy” from a few days ago. I started writing all my thoughts as a comment to him, but then decided it would work well as a blog post…
It is common for many information security, privacy and other business leaders to just say, “Bah! Humbug! Law XYZ is useless!” without ever even having read through the text. If there’s criticism, base it upon actual evaluation of your object of contention.
So, I really love to see information security professionals, such as Rafal, go beyond a cursory grump and foot stomp and actually dissect a law and provide reasoning behind his opinions; kudos to you, Rafal, for your demonstrated critical thinking!
One of the biggest flaws with our laws and those that wrote/write them is that they do not come from a practitioner background, and so they take a pretty decent goal, with honorable intentions, and throw together inappropriate terminologies and infeasible or flawed directives that result in largely ill-formed regulatory verbiage.
However, that said, I do believe strongly that there is a need for laws to protect the privacy and security of our personally identifiable information (PII), and with the growing epidemic of medical identity theft, protected health information (PHI) is of significant concern. Left to their own volition, many to most business leaders will not invest in effective information security or privacy protections. Many business leaders have not only said this to me, but also have expressed this in print, at company meetings, and in growing numbers in the court rooms.
So, we do need data protection laws if we can expect businesses to invest in protecting PII.
Actually, covered entities are the ones who must implement the laws in such a way to protect PII and PHI, and the oversight agencies are what have to give the laws and regulations teeth. The FTC is a great example of an agency that has actually not only been enforcing the many regulations for which they are responsible, such as the FTC Act and COPPA, but they have also actively pursued seeking out violators instead of just waiting for the complaints to come in.
What we have to work from is the HIPAA Privacy Rule, HIPAA Security Rule, and now, the HITECH Act, along with a menagerie of assorted other federal and state level data protection laws, not to mention the hundred or so data protection laws outside of the US.
Is HIPAA perfect? Heck no! However, I would encourage you to do what you can to take it, remake it, and use it to result in better protection of PHI. Badger lawmakers and regulatory oversight agencies to get off the stick and start sticking it to violators who have, as a result of their slovenly safeguards, made many individuals face nightmares of various types of crimes, frauds and identity thefts. I, too, need to be better at being a squeeky information security and privacy proponent wheel in the ears of my own legislators.
Are there problems and flaws with the HIPAA rules and the HITECH Act? Most definitely! Rafal eloquently pointed some of them out. And yes, there certainly is a lot of CYA language within text. In our litigious society I doubt we will ever be able to get away from overly verbose exceptions within regulations, such as for what constitutes a “discovered” breach. It’s far from perfect, but I’m glad to see that a breach response requirement now exists. I always thought it silly that the HIPAA Privacy Rule and Security Rule did not include a breach notification requirement to begin with!
However, despite the past deplorable lack of enforcement activity, I do see HIPAA enforcement having an uptick in the coming months. I recently posted about the sanctions applied (now stands at a total of two if I’m up to date) and the criminal convictions (now stands at 8 if I’m up to date) in “Another HIPAA Felony Conviction; 8 To Date“.
While the first sanction was a mere $100,000, the recent second sanction against CVS for $2.25 million made a lot of healthcare covered entity CEOs sit up, take notice, and dust off their rolodex entry for their information security and privacy officers.
I have just written a detailed account of the HIPAA sanctions and criminal convictions tentatively titled “HIPAA Felony Convictions, Sanctions and Upcoming Trends” where I discuss why I see compliance efforts soon being more aggressive. I’m still trying to decide on the best publication path. I will do this soon!
As a side note, actually there have been, and are, many data protection laws that require a “minimum necessary PII to be collected” type of requirement. Yes, it is good to have this requirement whenever PII is concerned.
Tags: awareness and training, HIPAA, HITECH Act, Information Security, IT compliance, IT training, patient privacy, PHI, PII, policies and procedures, privacy training, risk management, security training