President Bush signed into law late last month legislation aimed at preventing data-security breaches at the Veterans Affairs Department, ironically considered by many to be the model of information technology adoption in healthcare.
Bush signed the wide-ranging authorization billthe Veterans Benefits, Health Care and Information Technology Act of 2006on Dec. 22, and it took effect immediately. The Congressional Budget Office estimates the bill will cost just under $1.9 billion to implement through 2011, with most of the spending going to more than two dozen construction and renovation projects, including spending up to $610 million on rebuilding VA hospitals in New Orleans, and Gulfport and Biloxi, Miss., that were damaged by Hurricane Katrina. The spending provisions are subject to appropriations from Congress, but the IT policy rules are due in six months.
The laws main IT provision establishes procedures in the wake of what thus far remains the poster child for medical-records security breachesthe May 2006 theft of a computer from the home of a VA programmer carrying personal data on more than 26 million patients, including birth dates and Social Security numbers. The law provides that after future data mishaps, the VA secretary must ensure that either a non-VA entity or the VAs Office of the Inspector General conduct a risk assessment as soon as possible.
The law also gives the VA six months to write regulations governing medical records data-mining, notification of persons potentially affected by a breach, fraud alerts, credit monitoring, identity theft insurance and credit-protection services. The law also requires that the VA write into contracts for data processing and maintenance some language prohibiting the disclosure of any sensitive personal information unless expressly permitted under the contract.
IT vendors under contract with the VA also shall be required to promptly report any data breaches to the secretary and agree to be held liable for damages after a breach. Money collected from contractors under the damages clause shall be used to offset VA expenses for providing credit-protection services.
Robert Gellman, a lawyer and privacy consultant, said that the liquidated-damages clause may be unique, but it probably wont chase any vendors away from signing contracts with the VA. There is no other provision like this that I know of, Gellman said. And while IT vendors, never want to go on the hook for damages, no one is going to walk away from doing business with the VA because of this clause. I suppose they would raise their prices or improve their security, which is what theyre supposed to do.