HIPAA Accountability in Stimulus Bill

On page 379 of the current stimulus bill, there's a bit about establishing a website of companies that lost patient information:

(4) POSTING ON HHS PUBLIC WEBSITE -- The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

I'm not sure if this passage survived the final bill, but it will be interesting if it is now law.

EDITED TO ADD (3/13): It's law.

Posted on February 18, 2009 at 12:28 PM • 25 Comments

Comments

ChrisFebruary 18, 2009 1:13 PM

This is something that various researchers and policy wonks have been asking for for some time. I don't know the legislative history on this, but perhaps Obama's Regulatory Czar (Cass Sunstein) had something to do with this transparency initiative, as it is consistent with his general approach.

A few states require central reporting of breaches related to non-public personal information. Sometimes, states make breach reports available on government web sites, even where central reporting is not mandated.

As part of a project to make this type of information easily and widely available, the folks at the Open Security Foundation have set up a pretty spiffy web site which your readers might find useful:
http://datalossdb.org/

There's a sizable (and growing) section devoted to the actual notifcation letters and other documents associated with various breaches as weil:
http://datalossdb.org/primary_sources/

derfFebruary 18, 2009 1:31 PM

Surely there should be a similar system for federal, state, and local government data breaches...

Fraud GuyFebruary 18, 2009 1:48 PM

500 or more? That is not a reasonable number, as almost breaches and potential breaches are in a lower range. IIRC, one of the few public cases was for a nurse who accessed dozens of patient records. If a "0" was chopped off the back end, it would be more significant.

However, on the flip side, actually putting standards for acting on HIPAA violations is a step in the right direction.

Tangerine BlueFebruary 18, 2009 1:59 PM

> THAT'll create some jobs...

That was funny. Maybe it could, if we really milk it --

We could create a department of HIPAA compliance. This federal agency could defend large medical providers from their customers and whistleblowers, while ineptly cobbling together massive insecure computer database systems of every american's health records.

Davi OttenheimerFebruary 18, 2009 2:06 PM

California AB 211 and SB 541 passed last year. AB211 created a state Office of Health Information Integrity for enforcement and SB 542 significantly strengthened breach disclosure requirements and penalties.

Example:

http://info.sen.ca.gov/pub/07-08/bill/sen/sb_0501-0550/sb_541_bill_20080930_chaptered.pdf

(2) A clinic, health facility, agency, or hospice shall also report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the affected patient or the patient’s representative at the last known address, no later than five days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, agency, or hospice.

(c) If a clinic, health facility, agency, or hospice to which subdivision

(a) applies violates subdivision

(b), the department may assess the licensee a penalty in the amount of one hundred dollars ($100) for each day that the unlawful or unauthorized access, use, or disclosure is not reported, following the initial five-day period specified in subdivision (b). However, the total combined penalty assessed by the department under subdivision (a) and this subdivision shall not exceed two hundred fifty thousand dollars ($250,000) per reported event.

Hal O'BrienFebruary 18, 2009 2:11 PM

"500 or more? That is not a reasonable number, as almost breaches and potential breaches are in a lower range."

How do you know? Not (completely) being snarky, just, this is an unsourced assertion.

"...one of the few public cases..."

Ah. So "public cases" equal 100% of detected breaches? Or is it within the realm of possibility that cases that managed to stay private in the past will find it more difficult in the future?

ModeratorFebruary 18, 2009 3:10 PM

Please focus on the specific provision Bruce mentioned. This isn't the place for a broad discussion of the merits of the stimulus package.

AnonymousFebruary 18, 2009 3:22 PM

Most of the serious mis-access of medical information I have been involved with involve insiders, and have been in the nature of 1 - 5 mis-uses (usually accessing medical data of family, friends, or famous people). I'm sure there are external break-ins, but I'm not aware of any. (I am product manager for a suite of medical enterprise information systems).

But since these kinds of accesses are insider things, and impossible to prevent without preventing all sorts of required access, it's not appropriate to require publication of these events.

The target is systematic design flaws - and the prospect will probably encourage better behaviour

Davi OttenheimerFebruary 18, 2009 3:58 PM

"almost breaches and potential breaches are in a lower range"

You can look at datalossdb and see the numbers in detail.

http://datalossdb.org/download

I just did a quick check and the median is 1,000 (half the numbers are greater) while the average is 229,314.

I'm not a lawyer but I find no specific number ceiling/range in other breach laws. This would make the HIPAA number moot, no? For example consider Massachusetts 201 CMR 17 law that goes into effect at the same time as the FTC Red Flags regulation.

Back to CA AB211, breach enforcement is at the most granular level:

http://info.sen.ca.gov/pub/07-08/bill/asm/ab_0201-0250/ab_211_bill_20080930_chaptered.pdf

"(b) In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following:

(1) Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages."

charles deckerFebruary 18, 2009 4:34 PM

Correct me if I'm reading too much/little into this:

(1) Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages."

So if you could give reasonable cause for belief that your information was accessed or viewed in a system breach, even if there was no damages incurred, you could clear 1k?

RonKFebruary 19, 2009 2:02 AM

@ charles decker

It would seem to me that there is a strong correlation between having reasonable cause and there being damage incurred. Of course, this assumes that the privacy of your medical information has value.

Simply put, if your information is boring, no one would bother to expose it publicly, so the number of unauthorized people who would be exposed to it would be very small, and your chances of proving your information was exposed would also be very small.

Clive RobinsonFebruary 19, 2009 12:02 PM

@ Tangerine Blue,

"This federal agency could defend large medical providers from their customers and whistleblowers, while ineptly cobbling together massive insecure computer database systems of every american's health records."

Apart from "federal" and "american's" that is a very good description of what the UK Gov are trying to foist on the unsuspecting people.

With various bits called "Cerner" and "NHS Spine" it has come under the spotlight again just recently.

Unfortunatly one of the main companies involved (BT) have run up hugh debts on the project whilst only receiving a pitance in payment.

Unfortunatly many people have been shouting warnings for some time (since before Bruce joined) but little notice has been taken...

k7.fantrFebruary 19, 2009 12:15 PM

I am afraid that what is going to happen will be the desensitization of a data beach. Soon the public will view a data breach they way they look at a car crash. And of course the cost of meeting compliance is going to be passed on to the consumer. But hey, I guess breaking windows keeps the window makers employed. As a security professional, I am the preverbial window maker. (I just dont like the bigger picture that we are painting here)

Michael Sh.February 21, 2009 11:14 AM

Here's this line on page 152 of the Recovery Bill. Basically the first thing you sign at the doctor's office or hospital will be a waiver saying they can sell your personal information. Creepy. The new centralized medial database is pretty creepy too.
(d) PROHIBITION ON SALE OF ELECTRONIC HEALTH RECORDS OR PROTECTED HEALTH INFORMATION.—
(1) IN GENERAL.—Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual.

HughMarch 3, 2009 12:03 AM

Time is of the essence for healthcare organization to start their planning now for a comprehensive security program before HHS come knocking at their door.

jsylvestMarch 16, 2009 8:07 AM

As always, I wonder about the people that comment here. Obviously none work in the health care industry or with real people.

I worked in medical records in a hospital back in the old paper day. It is boring beyond belief.

My daughter currently works with an insurance provider. She continuously, and I mean continuously, tells me about health care providers and their staff who refuse to provide required information to the insurer even with the patient providing signatory release to the insurer. Do you wonder why? The providers don't have to. The patient is liable for the monetary charge even if the medical providers refuse to cooperate to get the insurer to pay and, of course, the insurer is not going to accept the medical information from the patient. Too much rampant fraud there.

Adding a new place where "mistakes" are advertised by the government will surely cause everyone involved to cooperate more closely. I can see it now. Medical provider (their lawyer), patient (their lawyer), insurer (their lawyer's') and someone else to fill out the forms (and their lawyer) all in the same room, so someone (guess who) gets paid.

I truly look forward to this idiocy reducing the cost of health care in America.

TheMANwithNoNameMarch 16, 2009 9:19 AM

"But since these kinds of accesses are insider things, and impossible to prevent without preventing all sorts of required access, it's not appropriate to require publication of these events. . ."

Isn't this just the sort of self serving determination of appropriateness which makes it necessary to have a bill such as this ?

JonMarch 21, 2009 6:36 PM

"As always, I wonder about the people that comment here. Obviously none work in the health care industry or with real people. "

I too, (now) hold a great disdain for the arrogance of the posters here..... for My view is supreme...even, by the way, if I miss the point ... like the inherent value in the concept of transparency.

I will snide away at all that pass before my eyes... etc etc.


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..