Among tax cuts and credits, more bailout funds and restrictions on executive pay packages, the American Recovery and Reinvestment Act (ARRA) also includes a section that introduces the first federally-mandated data breach notification law.
As I've written before, Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act) reserves $22 billion to "advance the use of health information technology" so that we will be able to meet President Obama's goal of moving to e-health records by 2014.
The HITECH Act also expands the reach of HIPAA data privacy and security requirements to include the "business associates" of those entities (health care providers, pharmacies and the like) that are subject to HIPAA, and strengthens HIPAA enforcement measures. All are significant changes to HIPAA compliance.
Of particular interest to industry observers, however, is the fact that the HITECH Act includes data breach notification requirements for protected health information. Though several states have data breach notification laws covering information used in identity theft (Social Security Numbers, credit card numbers, banking information, etc.), only a few have extended such notification laws to health information. And the federal government has never addressed the issue. Until now.
And the fact that Congress chose to address it in the HITECH Act, specifically where health care information is concerned, makes some wonder if this may be the only federal legislation we see on data breach notifications. In other words, the fact that Congress had the opportunity to craft a broader data breach notification law and didn't could mean that its members are content to let various state laws control.
Goodwin Procter counsel Jacqueline Klosek told me recently:
"People thought that eventually there would be a federal law that would supersede and kind of help out because there is such a tremendous number of state laws that companies have to consider every time there's a breach, but that didn't happen... I think it kind of came out of nowhere. Boom -- we all of a sudden have a federal breach notification law, but it's not really what we had expected in that in only applies to health information. I'm more skeptical now [that there will be a broader federal law]."
The fact that Congress chose to limit the requirements to health information also complicates matters for companies that operate in several states. They are already subject to the various state data breach notification requirements, which can be different and at times inconsistent. And those will still apply to information other than in the health arena. So those companies can't simply come up with a form letter that will work for every breach.
Proskauer Rose partner Tanya Forsheit says:
"If they have a situation, they really need to understand what the various laws require them to do, and if they are also now subject to the new HIPAA provisions, it's going to be that much more complex, frankly."