March Madness and murdered dictators aside, next month may be memorable for significant new privacy polices and obligations coming online — especially those for vendors holding sensitive information of a Massachusetts resident. Given the expiration of a two-year grace period, Massachusetts will require effective March 1, 2012 that all service provider contracts include provisions requiring that the service provider implement and maintain security measures for personal information that is consistent with the Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00.
A service provider must comply with this regulation if it “receives, stores, maintains, processes, or otherwise has access to personal information” of Massachusetts residents, e.g., social security numbers, driver license numbers, and financial account information, in connection with the provision of goods or services or in connection with employment. For compliance purposes, it does not matter whether the service provider actually maintains a place of business in Massachusetts. In addition, those companies who are subject to the regulation must oversee service providers by taking reasonable steps to select and retain service providers who are compliant. Penalties for non-compliance can be enforced through the Massachusetts Consumer Protection Statute and include penalties under that law as well as possible civil penalty of up to $5,000 for each violation, plus reasonable costs of investigation and attorney’s fees.
Finally, on March 7, 2012, HHS is scheduled to publish in the Federal Register its final proposed rule regarding what constitutes “meaningful use” of EHR sufficient to trigger incentive payments under the HIITECH Act. A draft of the proposed rule is currently available. It remains to be seen whether this push for EHR usage will ultimately add or subtract to healthcare data breaches.
As it stands, a HIPAA covered entity must provide notice to the HHS Secretary “without unreasonable delay and in no case later than 60 days from discovery of the breach” impacting 500 or more individuals. To assist in reporting, there is even an online means of disclosing breaches. The current list of all such disclosed breaches is publicly available; and not surprisingly, incidents have been steadily increasing as per an analysis done by OCR of breaches occurring in 2009 and 2010.
The annual OCR report indicates that larger breaches occurred “as a result of theft, error, or a failure to take adequate care of protected health information.” OCR Report at 9. It is not difficult to imagine efforts to obtain governmental incentive payments by achieving meaningful EHR usage — as the term will be further refined in March — may actually cause an uptick in breaches. Despite having a requirement that every EHR Module be certified to a “privacy and security” certification criteria — which will ultimately be determined by the HHS Secretary, these incentive payments will continue to be tied to usage and not necessarily verifiable compliance with a security standard. Given that HITECH’s financial incentives remain based on usage and not protection, “sticks” such as reductions in Medicare payments and stiff HITECH fines will continue to be the only real governmental incentive to maintain adequate protection. It would be nice if HHS, instead, developed a financial incentive or reward program for those firms who go the extra distance (as per NIST standards) when providing security. Maybe such a program will make the agenda after the OCR releases a few more breach reports.