Published by LawTechie - April 25, 2013 - LawTechie

privacy lawSo we all dread the frustrating inefficiency of our healthcare system. Thankfully, there has been a recent increase in the number of healthcare-based software applications and other tech-based support services, such as Simplee, which “combines Mint.com and Paypal to bring medical bill payment, management to your smartphone.”
The new HIPAA final omnibus rule, which goes into effect on September 23, 2013, has significantly expanded the types of businesses and the types of activities that fall under HIPAA regulation. The new rule has also expanded the maximum penalty for noncompliance to $1.5mm per violation.
Here is what technology businesses need to know about the new rules:
The new rules do the following:
  1. Clarify when breaches must be reported to HHS’ Office for Civil Rights;
  2. Establish new standards for the use of patient-identifiable information for fundraising and marketing;
  3. Expand liability to “business associates” of hospitals and other “HIPAA-covered entities,” such as data miners and health IT service providers; and
  4. Raise the maximum penalty for noncompliance to $1.5 million per violation.
As has always been the case under HIPAA regulation, the number one obligation of healthcare information “handlers” is to report security breaches or losses of data to HHS’s Office for Civil Rights so that patients are timely warned that their privacy has been compromised.

Under the old system, breaches were only reportable if there was a “significant risk of harm” to the patients from the privacy breach. Under the newly updated HIPAA rules, to avoid the onerous reporting requirements, data handlers will need to show that there is a low probability that the info was actually compromised.

Here is what can be done to ensure low probability and, therefor, proper compliance:

  1. Keep all healthcare patient data encrypted (easy to do these days); and/or
  2. Install kill-switch software on data carrying devices so, if lost or stolen, the device can be remotely killed; and/or
  3. Install GPS locator software functionality on data carrying devices… for the obvious reasons; and/or
  4. Do not keep patient info in public places (less relevant to my tech company clients, but still common sense); and/or
  5. Be sure to use employ a hierarchy of user permissions so that only employees (e.g., programmers) who must absolutely have access to patient data get that access… your sales team, non-essential interns, marketing team, etc… should not have access.

The above points are more or less no-brainers. The main thing to keep in mind is that, under the new rules, if your technology in any way touches the protected health information (as defined in the rule), then the above precautions should be taken.

LawTechie is a blog focusing on trends in tech and digital media. Areas covered include intellectual property, cyberlaw, venture capital, transactions and litigation as they relate to the emerging sectors. The blog is edited by the firm's partner Tim Bukher with contributions from the firm's experts in their respective areas of law.

Contact

Enter your email to get started.