Large hospitals and national organizations would benefit from a single, national security breach response process.
The recent breaches at Target, Neiman Marcus and other retailers have gotten the attention of our national legislators. Last month, US Legislators introduced the “Data Privacy and Breach Notification Act of 2014.” The bill, introduced by the Senate’s Commerce, Science, and Transportation Committee, would establish a federal standard for consumer data protection and data breach notification. In the event of a breach, the bill would require companies to notify affected customers within 30 days in most cases. Breached companies would be required to notify a central, designated federal organization established by the Department of Homeland Security, which in-turn would notify other relevant law enforcement and government agencies of the breach. Furthermore, the bill calls for the Federal Trade Commission to issue security standards for companies that retain consumers’ personal and financial data and would impose civil penalties for violations of the law as well as criminal penalties on corporate personnel who deliberately conceal a data breach.
Currently, health care organizations must comply with the HIPAA breach notification rule, which provides a national standard for breach reporting. Additionally, they must comply with any relevant state law process. This is not an overly burdensome for small providers whose patients all come from the same state – they must craft their breach response to simultaneously comply with HIPAA and their state law.
However, the current patchwork of 46 different state laws is a headache for large, national organizations. At present, when a breach occurs at such an organization, they must carefully review different breach response laws for 46 different states and create different notices based on each state’s particular laws. In some cases, the state customization must be done when the provider operates a facility in the state; in other cases, the deciding factor the patient’s state of residence. Complying with all of these laws requires significant legal and administrative costs.
Consequently, a national standard would greatly simplify this process for large organizations and would benefit large health insurers and provider organizations in terms of breach response.
The devil is often in the details, especially regarding the proposal for the FTC to establish security regulations – it is unclear if healthcare organizations would be exempt (since the federal HIPAA regulations already regulate healthcare) or whether this would be another set of compliance obligations.