HIPAA privacy rules guide EHR data security

The privacy and security of patient information featured in electronic health records is governed in part by a law largely developed and passed in the pre-internet era.

The Health Insurance Portability and Accountability Act, passed by Congress in 1996, requires health plans, health care clearinghouses and health care providers to protect and confidentially handle protected health information.
 
If these covered entities hire business associates to help manage data, the business associates become directly liable for compliance either under HIPAA rules or contractual agreements with the covered entities.

However, these business associates may be storing data in the cloud in an unsecure manner, said Peter Vogel, a Dallas-based partner with Gardere Wynne Sewell L.L.P. focusing on information technology issues.

“The business associates may or may not encrypt the data to be in compliance with HIPAA,” he said. “In the health care community, we are a very large target, and I think many, many covered entities don’t do a thorough enough analysis of where their data is stored with their business associates.”

The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law in February 2009 to promote the adoption and use of health IT and address privacy and security concerns associated with the electronic transmission of health information partly through provisions strengthening the civil and criminal enforcement of HIPAA rules. The law introduced categories of violations based on increasing levels of culpability and corresponding rises in the minimum penalty amount for each violation.