73
with thePHI “nomatterhow far ‘down
thechain’ the information flows.”
24
Additionally,whilecoveredentities,
businessassociates, and
subcontractorsmustenter into
BusinessAssociateAgreements, “direct
liabilityunder theHIPAARules
[attaches] regardlessofwhether the
[theparties]haveentered into the
requiredbusinessassociate
agreements.”
25
Finally, vendorsshouldcarefully
evaluate their levelof riskandpurchase
cyberliability insurance inaccordance
with the levelof risk theyhave
accepted.According toa2013studyon
theglobal costofadatabreach, the
cost to repairadatabreach in2012was
approximately$188per record.
26
At
that rate, thecost to repairabreach
impacting50,000 records is$9.4
million. Suchcostsmaybeprohibitive
foranumberoforganizations.Assuch,
vendorsshouldappropriately limit their
liability incontractsandavoidagreeing
tounlimited liability inany transaction,
unless theyareprepared togooutof
business for that specificdeal.
REFERENCES
(1) Pub. L. 104-191, 110 Stat. 1936 [hereinafterHIPAA], available at
detail.html, was signed into law onAugust 21, 1996 byWilliam Jefferson “Bill”Clinton.
(2) See id. at § 261, which indicates that the purpose ofTitle II ofHIPAA is ‘Administrative Simplification.’
(3)H.R. Rep. No. 104-496Part 1 at 99 (1996), available at
-
104hrpt496-pt1.pdf.
(4) Public Law 111–5, 123 Stat. 115 [hereinafter theHITECHAct], available at
-
111publ5/pdf/PLAW-111publ5.pdf.
(5) See JoshuaD.W. Collins,ToothlessHIPAA: Searching for a Private Right of Action to Remedy Privacy RuleViolations, 60
VANDERBILTLAWREV. 199 (2007).
(6) See e.g., Statement ofDevenMcGraw, Director,HealthPrivacy Project, Center forDemocracy andTechnology, S. Hrg. 111–
213, Serial No. J–111–3 (Jan. 27, 2009) (“strong privacy protections must be part of any legislation thatmoves health IT”).
(7)eHIPAARules were published in the Federal Register on January 25, 2013. See 78FR 5566, available at
.
(8) See 45C.F.R. § 160.103.
(9) See 45C.F.R. § 160.103.
(10) 78F.R. 5571 – 72 (Jan. 25, 2013).
(11) Id. at 5571.
(12) Id (emphasis added).
(13) Id. at 5572 (emphasis added).
(14) See 45C.F.R. § 160.404.
(15) 78F.R. 5583 (Jan. 25, 2013).
(16) 45C.F.R. § 160.408.
(17) Press Release, ConnecticutOffice of the AttorneyGeneral, AttorneyGeneral AnnouncesHealthNet Settlement Involving
Massive Security BreachCompromising PrivateMedical andFinancial Info,
(July 6, 2010); Press Release,VermontOffice of the AttorneyGeneral,
AttorneyGeneral Settles Security BreachAllegations AgainstHealth Insurer,
-
settles-security-breach-allegations-against-health-insurer.php (Jan. 18, 2012).
(18) Press Release, IndianaOffice of AttorneyGeneral, AttorneyGeneral Reaches Settlement withWellPoint inConsumerData
Breach,
(July 5, 2011).
(19) Press Release,MinnesotaAttorneyGeneral, AttorneyGeneral Swanson Says AccretiveWill CeaseOperations in the State of
MinnesotaUnder Settlement of Federal Lawsuit, Cannot ReenterMinnesota For SixYearsWithout AttorneyGeneral’s
Agreement,
(July 31, 2012).
(20) See e.g., R.K. v. St.Mary’sMedical Center, No. 11-0924 (Ct. of App.W.Va 2012).
(21)HHS, OCR, Guidance onRiskAnalysis Requirements under theHIPAA Security Rule 2 (July 12, 2010), available at
.
(22)HHS, Office for Civil Rights, Audit ProgramProtocol,
(last visitedMar. 21, 2014) (“Please be aware that the protocol has not yet been updated to reflect theOmnibus Final Rule[.]”)
(23) 78FR 5599 (Jan. 25, 2013).
(24) 78FR 5574 (Jan. 25, 2013).
(25) Id. at 5599.
(26) Ponemon Institute LLC, 2013Cost ofDataBreach Study: Global Analysis (May 2013), available at
.
TatianaMelnik is anattorney focusingherpractice on IT, dataprivacyand security, and regulatory compliance. She canbe reachedat
