At first glance, the HITECH Act that goes into effect today looks like a formidable piece of legislation. Companies in violation of the HITECH Act can incur millions of dollars in fines should they be found to be willfully neglecting the security of their data. Moreover, the law applies to any organization that does business with a healthcare entity, not just the healthcare organization.
On paper at least, healthcare organizations are required to notify the Department of Health and Human Services (HHS) and the media when a breach involves 500 people or more than 500 records. They are also required to have encryption policies in place that are consistent with standards set forth by the National Institute for Standards and Technology (NIST).
It might be enough to make anyone tremble at the thought of violating this act, except for one giant loophole. The final version of the HITECH Act includes a provision that allows the healthcare organization to determine after its own internal review whether any breach actually harmed anyone. If they determine that there is no potential for harm, there is no need to disclose anything to anybody.
Now consumer advocates are up in arms over this, and most lawyers are advising their clients to err on the side of notification. But notifying people of a breach every time one happens can add up to millions of dollars in costs. In the meantime, it's quite possible that IT people in the healthcare sector are going to find themselves in an untenable situation. The human resources and legal departments will be advising them to disclose, while the finance department will be arguing for a conservative approach to notification that limits cost exposure, not to mention protects the reputation of the healthcare organization.
The better part of valor, of course, is to review all processes to limit the number of breaches and then create an incident response plan that reduces the cost of notifications. That assumes you have some structured approach to governance, risk management and compliance (GRC) in the first place. In addition, companies such as ID Experts are providing tools to help customers understand their real potential for breach exposure and resulting liability.
But if you're under the impression that the new HITECH Act is about to put some real teeth behind data breach regulations, chances are pretty good that you're about to be disappointed.
By the way, I've started a discussion in our Knowledge Network about the implications of the HITECH Act. Check it out.