The Great HITECH Act Loophole

Michael Vizard

At first glance, the HITECH Act that goes into effect today looks like a formidable piece of legislation. Companies in violation of the HITECH Act can incur millions of dollars in fines should they be found to be willfully neglecting the security of their data. Moreover, the law applies to any organization that does business with a healthcare entity, not just the healthcare organization.

On paper at least, healthcare organizations are required to notify the Department of Health and Human Services (HHS) and the media when a breach involves 500 people or more than 500 records. They are also required to have encryption policies in place that are consistent with standards set forth by the National Institute for Standards and Technology (NIST).

It might be enough to make anyone tremble at the thought of violating this act, except for one giant loophole. The final version of the HITECH Act includes a provision that allows the healthcare organization to determine after its own internal review whether any breach actually harmed anyone. If they determine that there is no potential for harm, there is no need to disclose anything to anybody.

Now consumer advocates are up in arms over this, and most lawyers are advising their clients to err on the side of notification. But notifying people of a breach every time one happens can add up to millions of dollars in costs. In the meantime, it's quite possible that IT people in the healthcare sector are going to find themselves in an untenable situation. The human resources and legal departments will be advising them to disclose, while the finance department will be arguing for a conservative approach to notification that limits cost exposure, not to mention protects the reputation of the healthcare organization.

The better part of valor, of course, is to review all processes to limit the number of breaches and then create an incident response plan that reduces the cost of notifications. That assumes you have some structured approach to governance, risk management and compliance (GRC) in the first place. In addition, companies such as ID Experts are providing tools to help customers understand their real potential for breach exposure and resulting liability.

But if you're under the impression that the new HITECH Act is about to put some real teeth behind data breach regulations, chances are pretty good that you're about to be disappointed.


By the way, I've started a discussion in our Knowledge Network about the implications of the HITECH Act. Check it out.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Sep 23, 2009 8:20 AM HLGCDT HLGCDT  says:

The Center for Democracy & Technology wrote an article on how the HHS harm standard for breach notification undermines patient privacy and the transparency of health care companies.

That article can be found here:


Sep 23, 2009 7:39 PM Alexander Howard Alexander Howard  says:

I'm not sure that this analysis is quite on, in light of the enforcement of HIPAA by the FTC and the more conservative interpretation taken of what constitutes a breach by that body. You're correct that the interpretation in the data breach position by HHS would leave a loop hole for entities to decide what rises to "meaningful" - the other relevant governmental regulator appears to have a more conservative interpretation. Since the latter is the one that just hit CVS Caremark with a $2.25 million dollar fine for a HIPAA violation, I suspect more CIOs and compliance officers are likely to err on the side of caution.

Sep 24, 2009 8:38 AM Jana Aagaard Jana Aagaard  says:

The question is:  Do patients want to receive letters notifying them of breaches where 99 out of 100 or even 90 out of 100 people would say -- "No harm, no foul"?  Large hospitals, for example, will have occasional mix-ups, where a nurse inadvertently gives the wrong discharge instructions to a patient, realizes his error very quickly, retrieves the instructions within 45 seconds, and gives the discharge instructions to the correct patient.  That is a breach.  Does the patient need to receive written notification of that?

Another example:  A general acute care hospital (not a psychiatric hospital or a facility specializing in one specific type of treatment) has a list of patient names and dates of admission, but no other information -- nothing about diagnosis, no address, no social security information, nothing else.  If that list is disclosed to anyone who does not have a need to have that information outside the hospital, it is a breach.  But is this a situation in which notification should occur? 

The federal Department of Health & Human Services has noted concern that if breach notification occurs for breaches that do NOT have the potential for harm to the individual, the notification process becomes trivialized and patients will tend to dismiss the notifications.  DHHS wants breach notification to remain meaningful and significant to patients.

The experience of California, which has had a very stringent breach notification law in place for hospitals, hospices, home health agencies and licensed clinics (but not for doctors) since January 1, 2009, is that the majority of reported breaches are NOT significant.  The majority are misdirected faxes, many of them internal, and many of them to the wrong doctor.  Many other reported breaches are mis-directed bills and mix-ups in discharge instructions. 

Not all breaches are innocuous, of course.  Some have very large potential for harm, and thus patients should be notified of all breaches that do have potential for financial, reputational or other types of harm.  There are too many breaches, however, that have virtually no potential for harm -- in fact, if California's experience is any guide, the majority of breaches will have minimal potential for harm.  A significant risk assessment will help keep the letters sent to patient meaningful and likely to get patients' attention.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.