Monday, March 2, 2009

Analysis of the Stimulus Bill and Healthcare Privacy

There is a substantial problem out there with many of the regulations, compliance initiatives, and associated laws. They lack teeth. If you don't believe how bad this is, navigate over to the PCI Security Standards Council and do a quick search for the word "penalty" - I'll save you the effort because you'll get no results.

George Hulme published an interesting piece today regarding this very topic on the Health Information Trust Alliance (HiTrust) Central site... and while I don't doubt that the government means business, there are some problems right off the start...
  • The fines are $100 - $25,000 per violation for violations that are shown to have occurred "without knowledge"
  • The fines get worse to $10,000 - $250,000 for willful neglect; and if the entities don't fix problems the fines continue up to a cool $1.5MM
I already see some major issue with this rhetoric. It's only rhetoric... I went to the source (and it wasn't easy, this thing is a monster) and found the exact text in case you're curious, here, start around page 164.

I'm pulling specific pieces out, below, for your [dis]pleasure. I recommend you read this on your own, as your mileage on my interepretations may vary - I am *clearly* not an authority in such matters.

First off, let's define the term breach, here off page 164:
"(1) BREACH.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security, privacy, or integrity of protected health information maintained by or on behalf of a person. Such term does not include any unintentional acquisition, access, use, or disclosure of such information by an employee or agent of the covered entity or business associate involved if such acquisition, access, use, or disclosure, respectively, was made in good faith and within the course and scope of the employment or other contractual relationship of such employee or agent, respectively, with the covered entity or business associate and if such information is not further acquired, accessed, used, or disclosed by such employee or agent."
Immediately I am struck with the marked distinction between what is an unauthorized disclosure and what is not. If you notice, the definition of what it is is one sentence, while the definition of what it isn't is the rest of the long paragraph. I've bolded the two interesting parts there... particularly the "or other contractual relationship" bit, and "in good faith". It's all interesting legal double-speak.

There is also a revision provision on page 169 that forces a yearly review and guidance revision to the technical safeguards - this is good because it forces a yearly revisitation of what works, what doesn't (at least I hope that's the intent).
"ANNUAL GUIDANCE.—For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary of Health and Human Services shall, in consultation with industry stakeholders, annually issue guidance on the most effective and appropriate technical safeguards..."

I was thrilled to see Section 4402 (Notification in the case of Breach) in this document as well - maybe we'll see a flood of medical breach notifications coming...

This section is quite interesting:
"(c) BREACHES TREATED AS DISCOVERED.—For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate, respectively) or should reasonably have been known to such entity or associate (or person) to have occurred."
So... if a hacker reports the breach to authorities, after successfully stealing medical records, it isn't considered "discovered" until someone at the entity acknowledges it!?

The document then goes on to talk about timeliness of disclosure, saying that the entity has no more than 60 days to notify all those who were compromised, which isn't necessarily quick but at least there's a deadline for disclosure. And then there's this bit...

"(2) MEDIA NOTICE.—Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach."
You have to know this will strike some fear into the hearts of medical records care-takers... everyone fears the media and public disclosure of such a breach is often followed by public riddicule and nastiness. The entity must also notify the Secretary and pust the breach to the Dept. of Health and Human Services website - so more public shaming.

Page 181 also struck me as important because it identifies, for the first time that I have seen, that data taken and kept should be the minimum required to accomplish a task... this is a giant leap forward and actually seeks to lay out that only data sets that are absolutely needed must be used, whereas currently I see entities keeping way more information than they could possibly need. While I think this will be difficult to define, it is certainly a necessary first step.

Where it really gets good, or as George would say, where the teeth are is on page 196, section 4409. Reading through this section is appears quite clear that accidental disclosures, if due care is taken are very lightly penalized, with as little as $100 per record; while willful neglect fines start at $50,000 per record and top off at a cool $1.5MM... ouch. While the fines are a generally good deterrent coupled with the public shaming and disclosure laws - consider something elese.

In the case where an entity has a very serious case of the HIPAA non-compliance blues, and can convince the auditor that they've done what is considered due care or due diligence ... while spending as little actual time, money and resources as possible - it may very well end up being less expensive to simply pay the resulting fines than to have actually good security protections in place. Even in the worst-case scenario where willful neglect is proven (and let's face it, that's nearly impossible without an internal whistle-blower) the maximum fine is only $1.5MM... while the costs of associated security technologies, manpower, and process improvement may run well into 10x that cost.

So at the end of the day we have to ask ourselves... while this law is a decent starting point - does it do enough to protect citizen's medical data? Or is this simply another display of hand-waving and rhetoric we've come to expect from government-sponsored compliance regulations?

Sorry, but I'm not impressed.


Anonymous said...


I loved reading your analysis! I started writing all my thoughts as a comment to you, but then realized it would work well as a blog post. Please see it at

Keep up that great constructive criticism! :)


Rafal Los said...

@Rebecca - Thank you (PrivacyProf on twitter?) It's always great to have someone review your work, positive or negative.

I'm madly disappointed in the new administration's attempt at this effort, but I suppose anything is better than nothing... eh, maybe not.

Anonymous said...

Yep! Aka PrivacyProf in tweets. :)

Well, it's only the beginning of March...and they are also dealing with trying to fix a mountain of a huge mess...

I'll look forward to seeing where we're at by mid-October with all types of regulatory oversight; hopefully the birth of more information security and privacy enforcement.