The following text is copyright 2003 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Eventually a floor?
By Scott Bradner
After a rather long gestation period which, in the minds of many privacy advocates, included a significant watering down, the U.S. Department of Health and Human Services published the final version of the "National Standards to Protect the Privacy of Personal Health Information," otherwise known as HIPAA on February 13. The regulations themselves run about 6500 words and were published in the Federal Register with an extended commentary detailing the changes resulting from responses received to earlier versions.
The Department of Health and Human Services has set up a web site dedicated to the new rules and their interpretation. (http://www.hhs.gov/ocr/hipaa/).
The gist of these rules is that individuals must give their consent before medical data can be shared except where the sharing is in support of treatment, payment, or health care operations. In addition the rules define security, administrative, physical, technical, organizational, documentation and policy safeguards and requirements to protect the data.
In general the rules look reasonable but there are some funnies. For example, the use of encryption is not required for data communications, although, as the Frequently Asked Questions puts it, "Covered entities are encouraged, however, to consider use of encryption technology for transmitting electronic protected health information, particularly over the internet."
If you are not a health care-related business you might wonder how much this new set of rules impacts you. Sure it's good to think that your personal health care records may not be quite as easily accessible to random third parties but you might think that these rules will not affect your IT-related day job. You may just be wrong, maybe not right away, but over time you could be quite wrong indeed.
I was talking to an auditor friend of mine a while ago about HIPAA and he pointed out a potentially important bit of history. One thing that the US court system has been seeking for quite a while is a solid understanding on what should be considered "reasonable care" in the area of protecting data in a corporation. I.e., what systems, procedures, technologies, etc. would someone who wanted to protect corporate data, for example customer credit card information, employ? Up to now there has been no common agreement on what that would be. But now the US government has come up with a set of guidelines that define just what a reasonable person should do to protect a particular type of data. My friend wondered if the courts, driven by plaintiff's lawyers, would start to use these guidelines in cases involving other types of data. After all, what is described here is all well within the state of the art, why shouldnŐt it apply to all important data?
There is no way to tell if the HIPAA guidelines will wind up becoming the basic rules for data protection, a floor of the range of options, rather than the top as they are now. But, for those of us who do worry about protecting privacy, it might not be a bad thing if it did happen.
disclaimer: These rules could move from being a fact of life for med school graduates and a opportunity for law school graduates to a worry to business school graduates, but I did not ask any of the schools in developing this musing.