Healthcare, cybersecurity policy and privacy on legislative agenda

By Alexander B. Howard, Associate Editor 17 Sep 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More on government and compliance ICE Act would restructure cybersecurity rule, create White House post Evaluating the cybersecurity plan and the role of a federal CISO RSA Conference Advisory Board highlights cybersecurity threats, trends

The American Recovery and Reinvestment Act (ARRA) of 2009, aka the stimulus bill, is having significant regulatory effects. The clearest example is in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which includes provisions that affect health privacy. Nine months after ARRA passed, the rules enacted in it are starting to apply.

Healthcare

The most significant of these are likely to be the breach notification rules from the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC). Deven McGraw, director of the Health Privacy Project at CDT, expressed concerns about the HHS breach notification provisions as they apply to Health Insurance Portability and Accountability Act (HIPAA) entities and extend to personal health record vendors that fall under FTC regulations. "We're pleased with the rule that FTC came out with," she said, but, "HHS interpreted the breach definition to include a harm standard that is broadly worded and gives authority to a breached entity about whether there is harm. If that entity determines that the answer is no, notification doesn't have to happen."

McGraw pointed out that, "if the FTC is reasonably certain data hasn't been acquired, a breach hasn't occurred. HHS expands on that -- well, what kind of data? If it's just your name and you were in a hospital, there's no risk of harm. Core health data is subject to a less rigorous standard."

HITECH compliance goes into effect Sept. 24 under the FTC's standard, although, according to McGraw, both agencies say they won't enforce a data breach for 180 days. And she added that she expects conservative interpretation, given FTC enforcement of HIPAA violations at CVS Caremark Corp.

Cybersecurity

Reforming cybersecurity policy is a major priority under President Barack Obama's administration. Proposed changes have the potential to rework compliance with the Federal Information Security Management Act and guidelines from the Federal Energy Regulatory Commission and North American Electric Reliability Corporation, or FERC and NERC. Many other areas of e-commerce and infrastructure could also be affected, given the broad reach of proposed legislation like the Cybersecurity Act of 2009 (S.773, aka the "kill-switch bill").

In terms of the cybersecurity act -- also referred to as the Rockefeller-Snowe bill, after Sens. John Rockefeller (D-W.V.) and Olympia Snowe (R.-Maine) -- it's still not entirely clear what the president's power will be in an emergency if the legislation doesn't come through. Gregory Nojeim, CDT counsel, said, "It would be useful for the White House to offer its view in the context of a given scenario," in response to questions regarding the president's control over the Internet and various free speech and commerce issues. Concerns over a "cyber-Katrina" aren't purely academic, either, as numerous technology advocates and analysts have expressed concerns about how S.773 may set or apply standards from the National Institute of Standards and Technology (NIST). Questions about cybersecurity policy that need to be answered include: Will best practices defined by NIST be auditable and audited? Could such standards stifle innovation because of that detail? Ari Swartz, vice president and chief operating officer at CDT, expressed confidence in the nomination of physicist Patrick Gallagher to the post of NIST director. Should Gallagher be seated, he'll have a full portfolio as he begins work.

Privacy

This fall's legislative session at Congress will see numerous issues, including the use of the OpenID federated identity framework for .gov authentication pilot, prospects for a national data privacy law (H.R. 2221) and Pass ID. All three of these areas will be affected by the direction of the cybersecurity policies defined by the administration.

If the FTC is reasonably certain data hasn't been acquired, a breach hasn't occurred. HHS expands on that -- well, what kind of data? Deven McGraw director, Health Privacy Project, Center for Democracy and Technology

Cynthia Wong, the Plesser Fellow at CDT, said the Pass ID markup happened at the end of July, when Senators cleared the way for a measure to replace REAL ID. "In general, CDT has been supportive of Pass ID, since we view it as an improvement over REAL ID, which is still on the books," Wong said. "Pass ID mitigates some key privacy concerns from REAL ID and also introduces new privacy protections for information contained in the machine-readable zone on driver's licenses and ID cards that don't exist apart from individual state law. However, we think the bill can still be improved, and have made specific recommendations for strengthening privacy protections to Congress." Wong also shared concerns about Pass ID amendments in a post on the CDT blog.

In terms of the use of OpenID for .gov websites, Schwartz expressed cautious optimism, ladled liberally with concern over the details of implementation.

"If you go back to 1998, GSA [the General Services Administration] has a problem called ACES," he said, referring to Access Certificates for Electronic Services. "The goal was to give every American a digital signature. We had a lot of problems with that. That program broke up into pieces. One of the things they were pushing for was federated identity, which offered the ability to have many levels. We liked the GSA approach, but it never went into effect. Now, [federal CIO Vivek] Kundra is taking that scheme over. We need to make the levels actually work. Level 1 is the most basic, and then on up."

Privacy challenges, as Schwartz said he sees them, lay in the OpenID system will work. "The question is what kind of information can the third party keep, is it limited by contract, and how do you set those rules up," he said. "That's not clear. We're going to have a consultation with agencies and OpenID to try to come up with guidance.

Tags: HIPAA and other healthcare compliance requirements,  ID and access management for compliance,  Regulatory compliance audits,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Record locator service a step to health information exchange FTC pursuing HIPAA violations as a matter of consumer protection ID and access management for compliance Data loss prevention technology matures but is still no cure-all Electronic privacy integral to identity management standards, says DHS OpenID federated identity framework set for .gov authentication pilot D.C. CTO sees compliance, cost savings benefits to cloud computing Social media platforms demand a clear employee Internet use policy Pietrylo case a cautionary Web 2.0 communications compliance failure Compliance concerns dog enterprise 2.0 collaboration platforms Twitter security risks, popularity spark regulatory concerns What's in the White House Cyberspace Policy Review you need to know? Why it may not be ideal for your lawyer to be your compliance officer Regulatory compliance audits Facing uncertainty, IT turns to governance, risk and compliance, ERM Effective compliance document management in five days FAQ: What is the impact of a compliance audit on IT operations? ISO 27001 certification not enough for verifying SaaS, cloud security HIPAA-covered entities' first step should be a quality assurance plan FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice PCI DSS compliance fails to raise the bar on financial fraud HIPAA-covered entities, business associates confront HITECH rules PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary