Monday, March 2, 2009

Expansions to HIPAA in Stimulus Bill

With a trillion-odd dollars in spending, it was easy to overlook some of the details of the US stimulus package. Surprisingly, a full 21 pages of the 407-page American Recovery and Reinvestment Act are devoted to a significant tightening of HIPAA's privacy and security rules.

If you like to read stimulus packages, check out the actual bill here (warning - 13MB pdf). The HIPAA security and privacy part of the bill can be found on pages 144-165. The fact that roughly 5% of the document is devoted to security and privacy of health information underscores just how important the digitisation of IT is to the new administration (or just how vague the spending bill is, but let's try to be glass-half-full types). Obama has specifically mentioned the digitization of health care as a priority of his administration on numerous occassions. Tightened security and privacy helps lay the groundwork for this change.

HIPAA has forced major changes in who health care organizations can share information with but has arguably not forced specific changes within organizations (as opposed to say PCI). Nonetheless, HIPAA is one of the most overhyped reasons given for justifying security spending. Almost every security vendor presentation I sit through (and there are a lot...) opens with something about the need to ensure PCI, HIPAA, and SOX compliance. But with few specific technical rules on what companies should or should not do with personal data, it is difficult to use HIPAA to justify any specific security expenditure.

This bill isn't going to change that. HIPAA is more about the defensibility of an overall security narrative. It focuses on having policies and procedures in place and on the legality of data exchange with external partners. Although the privacy aspect of HIPAA is relatively binary (PHI is either shared with unauthorized parties or it isn't), the security aspect is very open to discussion. This is sharp contrast to say PCI, where the detailed requirements only leave limited room for interpretation.

There are nonetheless important expansions to HIPAA in the bill. The regulation now covers a broader range of entities and also contains very specific data breach notification requirements. My guess is that the new breach notification component will have the most direct effect on organizations. I have written of the diminished importance of breach notification laws, but health care providers are different. They operate in a political arena and often rely heavily on government contracts. Even if consumers don't really care about breaches, it will be hard for repeat offenders to successfully bid on government RFPs. Publicized breaches can have real costs for health care organizations.

HIPAA has also until now suffered from very weak enforcement. Two weeks ago CVS received what was only the second HIPAA fine in history. This fine was apparently for throwing out receipts with patient data directly into the trash. Failure to shred this information is so obviously wrong that it can't really be considered a specific HIPAA violation as such. The first HIPAA fine was for a mere $100,000.

The expanded HIPAA rules in the stimulus bill have significantly raised the potential penalties for violators. Until HIPAA violators start getting fined in a consistent and significant manner, it is unlikely that HIPAA will lead to significant security related spending.


  1. Great information and insight. Thanks!

  2. Thanks Scott - glad you enjoyed it!

  3. As a consultant, we are predicting a sharp incline in HIPAA fines in IT for 2011.
    Long Term Care providers are "on the top of the list".
    As more and more providers turn to automation, mediocre web-based applications that claim to be HIPAA compliant can prove to be costly mistakes.
    No more "I didn't know"
    Do your homework...


Note: Only a member of this blog may post a comment.