Proposed legislation the White House is sending to Congress to fight cyber attacks includes more protections for consumers than new requirements on companies to better protect the data that they hold. But one of the new requirements would appear to compel a major change in the HIPAA breach notification rule.
The legislation if enacted would establish a national standard for "companies" to notify affected individuals of a breach 30 days from discovery of the breach. Assuming that healthcare covered entities and business associates would be considered “companies,” that would mean the current HIPAA standard of notifying patients of a breach no later than 60 days after discovery would be preempted.
Whether that happens is speculation for now, says David Holtzman, vice president at CynergisTek, a health information technology security consultancy. There are plenty of questions and debates to follow if the President’s proposal for a national notification standard gets serious consideration. Would HIPAA notification requirements be preempted? Would the notification clock start when a breach is discovered or when it occurred? What would be the measure of when a breach occurred? Will the threshold for reporting a breach be when data has been compromised or will be reporting depend on an assessment of the risk of harm to one or more individuals?
Steve Fox, chair of the data breach protection group at the law firm Post & Schell, likes a national breach notification standard especially if it replaces similar laws in states across the nation. “However, it’s also important to make sure this new law will coordinate with HIPAA’s breach notification requirements, so there won’t be separate laws for healthcare data breaches and non-healthcare breaches,” he notes. “In addition, I hope the new law will address encryption standards, so they will also be consistent with HIPAA and provide a single baseline for all organizations that hold sensitive data.”
The President’s proposal would permit healthcare organizations and other companies across industries to share threat information with the federal government to protect against cybersecurity attacks and be held harmless, says Brian Evans, senior managing consultant at IBM Security Services. “It is broadly written but does provide an exception to existing law designed to protect any shared personally identifiable information and would make healthcare organizations immune from both civil and criminal liability for any action as long as it was in good faith.”
But healthcare organizations should be wary of requests to share personally identification information, Evans cautions. He believes there would be very rare times when sharing personally identifiable information was necessary.
“After being involved with hundreds of security incidents, I have never seen an instance where personally identifiable information had to be shared in order to combat cybersecurity threats,” Evans says. “So, healthcare organizations do not need to share nor should they share any PII with the government in support of this collaboration unless there is some extenuating circumstance. Once any information is shared, then the government is able to use this information for investigating crimes that are unrelated to the underlying security threat.” The need to share PII would typically not include actions proposed in the legislation, he adds.
What is important now is that the White House has elevated the conversation on risks posed by cybersecurity threats to the highest level, Holtzman says.
In sharing threat data with the government, Bloomberg reports that companies must take reasonable measures to removed personally identifiable information, and the shared data would be “technical indicators” such as Internet Protocol addresses, routing data and time stamps. Shielding companies that share data from harm may encourage the sharing of information that companies have not made public, such as information indicating corporate data was not appropriately protected, Holtzman says. So, holding these companies harmless could prevent silos of threat data and allow the government to be a coordinator of threats that could affect one or more industry sectors.
In addition to a standard breach notification requirement, other consumer protections in the proposal include encouraging financial institutions to offer customers their credit scores for free, encouraging companies (more than 75 so far) to take steps to prevent selling student data for purposes unrelated to the educational mission, and creating a one-stop resource site for identify theft victims at IdentityTheft.gov. Further, a voluntary code of conduct is being released to the electricity utilities to better protect customer data; whether similar codes will be released to other industries is not yet clear.
The proposal also includes an executive order from President Obama in October 2014 to secure payments to and from the federal government by using chip and PIN technology to strengthen the security of new and existing government credit and debit cards.
Register or login for access to this item and much more
All Employee Benefit Adviser content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access