HIPAA,NOTJUSTFORDOCTORS:
TECHNOLOGYVENDORRISKS&OBLIGATIONS
byTatianaMelnik
68
Over the last several years, and
certainlysince thenumerous
disclosuresmadebyEdwardJ.
Snowden regardingsnoopingby the
U.S.Government, privacyandsecurity
issueshave takenona renewed
importance.Nowhere is thatmore true
than in thehealthcarespace,where, in
2009,Congresspassed theHealth
InformationTechnology forEconomic
andClinicalHealth (HITECH)Act
mandatingpenalties forhealthcare
relatedprivacyandsecuritybreaches
andexpanding thescopeofdirect
enforcementbeyondhealthcare
providers toencompass information
technologyvendorsserving the
healthcare industry. Since the
enactmentof theHITECHAct, the
OfficeofCivilRightshas takenaction
against fourteendifferentorganizations
andgovernmententities reaching
settlementsand issuing fines totaling
approximately$14.9million. Therehas
alsobeenan increase inenforcement
actionsby theFederalTrade
CommissionandStateAttorneys’
General aswell asplaintiffsbywayof
classaction litigation.
ABitofHistory
TheHealth InsurancePortabilityand
AccountabilityActof 1996 (HIPAA)
1
wasoneof the first laws toaddress the
privacyofhealthcare information. The
goalof the lawwas to improve the
efficiencyandeffectivenessof the
healthcaresystemby, amongother
things, standardizing theelectronic
exchangeofadministrativeand
financialdata
2
. InenactingHIPAA,
Congress recognized that, “[h]ealth
information isconsidered relatively
‘safe’ today, notbecause it issecure, but
because it isdifficult toaccess”
3
and
enablingelectronic transactionswould,
invariably, jeopardize theprivacyand
securityofhealthcare information.
Congress thereforedirected the
SecretaryofHealthandHuman
Services (HHS) toadoptcertain
standards toprotect the integrity,
confidentiality, andsecurityofhealth
information.
Thirteenyearsafter itenactedHIPAA,
Congress revisited theprivacyand
securityofhealthcare informationand
enacted theHITECHActaspartof the
AmericanRecoveryandReinvestment
Actof2009.
4
Thisnew lawwas, inpart,
a response to the lackofHIPAA
enforcement
5
aswell asa recognition
thatprivacyandsecurityconcerns
would increasewith themove to
electronichealthcare records.
6
Inan
effort toencourage increasedHIPAA
complianceandenforcement, the
HITECHAct requiresmandatorybreach
notification, sets fortha tieredcivil
penaltystructure, andgrantsstate
Attorneys’General the right toenforce
HIPAAonbehalfof their statecitizens.
TheHITECHActalsomadeclear that
vendors thatobtainorcreateprotected
health informationonbehalfof their
healthcareclientsarealsosubject to
compliancewithcertain requirements
of theHIPAALaws. TheHITECHAct
therefore increased the financial risks
for
all
organizationshandlingprotected
health informationwho fail tocomply
withHIPAA.
Currently, thescopeof “HIPAA”
includes theHIPAAstatutepassed in
1996, theHITECHAct, theGenetic
InformationNondiscriminationAct
(GINA)and four implementing federal
regulations issuedbyHHS—thePrivacy
Rule, theSecurityRule, theBreach
NotificationRule, and theEnforcement
Rule, commonlyknownas the “HIPAA
Rules.”Toaccount for thechanges
requiredunder theHITECHActand
GINA,HHS revised theHIPAARulesand
reissued them in the formofan
“OmnibusRule”onJanuary25, 2013
withaneffectivedateofMarch26,
2013.
7
Compliancewas requiredby
September23, 2013.
