President Barack Obama reiterated his goal to change cybersecurity in his State of the Union address on Tuesday. He hopes to accomplish more secure data through legislative modifications and his own cybersecurity proposal. However, healthcare providers are concerned how these changes might affect the Health Insurance Portability and Accountability Act, or HIPAA.
Some of the language within the legislation is so vague that providers are uncertain whether or not it would apply to them. However, if it does, it would directly violate the HIPAA laws about notifying patients of a cybersecurity attack within 60 days of its discovery, according to HealthData Management. The legislation, if passed, would require organizations to notify consumers of breaches within 30 days.
Sharing medical information with the government
HIPAA was passed by Congress in 1996 to provide standards for electronic billing and other digital data processes, according to the California Department of Health Care Services. It is a huge part of patient confidentiality and how healthcare providers can handle medical records.
Since HIPAA has changed the way healthcare can use electronic documents, it is tied in strongly with cybersecurity. This means that Obama's proposal can have a huge affect on HIPAA compliance. Parts of the proposal request that companies across various industries share data with the government to prevent cybersecurity attacks. This would mean that healthcare providers might have to share personal identification information, according to HealthData Management.
Brian Evans, senior managing consultant at IBM Security Services, told the source that he has never seen an instance when shared information has prevented a breach. This means that some believe the proposal wouldn't help protect health records from being breached, but would still reveal personal information to the government. Despite the criticism and fear of the proposal, the source mentioned that the bright side of all of this discussion is at least it's being debated about at all.
HIPAA vs. new legislature
The vague wording that is open for debate on whether or not it applies to healthcare providers is the phrase "companies" within the proposal. HealthData Management noted that there is no exact distinction in the paperwork between companies and healthcare providers.
The law has come under scrutiny by some cybersecurity professionals for being too harsh and broad. However, Steve Fox, chair of the data breach protection group at the law firm Post & Schell, told the source that the standards would be useful if they replace all of the nation's state laws on cybersecurity.
"It's also important to make sure this new law will coordinate with HIPAA's breach notification requirements, so there won't be separate laws for healthcare data breaches and non-healthcare breaches," Steve Fox said. "In addition, I hope the new law will address encryption standards, so they will also be consistent with HIPAA and provide a single baseline for all organizations that hold sensitive data."
Cybersecurity wasn't so much of a concern a year ago, but now many are debating what resources should be used to protect companies from breaches. Obama is putting in his best effort to create new ideas and legislation for cybersecurity, which is a huge step for the modern technological world. HIPAA compliance may be changing with these proposals, which means health care professionals need to look out for those modifications.