Interestingly, the seond-most-read governance post of the year touched on both the HITECH Act and privacy issues -- it addressed the data breach notification rule included in the HITECH Act.
To review, the Health Information Technology for Economic and Clinical Health Act was enacted as part of the American Recovery and Rehabilitation Act, which Congress passed shortly after President Obama took office. Along with setting aside nearly $22 billion for health information technology, the act extended the reach of the data privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) to include business associates of health care organizations.
Moreover, the act's enforcement provisions are tougher, and it includes the country's only federal data breach notification requirement. Because the requirement is drafted only to apply to health information, says attorney Tanya Forsheit, the presence of a federal requirement will make things more complicated for companies when they discover a breach. If health information and financial information are compromised in a single breach, the company must fulfill all the requirements of the various data breach notification laws in the states in which they do business or in which their customers reside, and at the same time, meet the HITECH Act notification requirements.
Goodwin Procter counsel Jacqueline Klosek also notes that the fact that Congress had the opportunity to enact a more far-reaching data breach notification requirement and did not may mean that the HITECH Act's requirement may be the only such requirement we see on the federal level.
She may be right, but I have to agree with a reader who commented on this particular post. That person said:
I think it makes perfect sense that this is limited to health information, since HITECH is relevant to electronic health information. I think I would have been more disappointed if they had taken the opportunity to add unrelated requirements such as financial information to a health bill.
And I wouldn't be surpised if Congress decides to impose similar requirements regarding other categories of sensitive information somewhere down the line. As another reader, James, points out, maybe the HITECH Act's data breach notification requirement signifies "a step in the right direction."