A number of Massachusetts healthcare providers have joined with area businesses to express concern over a new law aimed at protecting state residents from identity theft.
The legislation, set to go into effect Jan. 1, 2009, would expand the states current identity-theft prevention requirement to include encryption of personal information sent to portable devices, such as laptop computers and hand-held PDAs. But while most Massachusetts businesses, including hospitals, support the law, they are concerned they wont be able to meet the states deadline.
The Massachusetts Hospital Association believes the new regulations scheduled implementation date of Jan. 1, 2009, cannot be met, said MHA spokeswoman Catherine Bromberg in a written statement. Last week, the MHA joined a broad coalition of businesses that sent a letter to Gov. Deval Patrick expressing their concerns and asking for a reasonable one-year delay.
The encryption requirements are part of identity-theft legislation signed into law in August 2007, but Massachusetts officials just released a set of final regulations outlining steps that healthcare providers and other businesses must take to protect consumers in late September.
In response to the letter, Kofi Jones, spokeswoman for the state's Housing and Economic Development department, said many companies had most of the required measures to protect personal information already in place.
"We believe that the January 1 deadline provides ample time for the remaining companies to come into compliance, but we will continue to review concerns.
At issue for hospitals, according to the MHA statement and joint letter, is concern over the cost of and ability to add encryption capabilities to systems that may be several years old. While the state has provided a checklist of IT security requirementsmany of which hospitals have already adopted as a result of Health Insurance Portability and Accountability Act regulationshealthcare providers are concerned they will run into problems implementing encryption technology for portable devices, said MHA officials, who called the mandate particularly troubling.
Karen Grant, chief privacy officer for Massachusetts 10-hospital Partners HealthCare System, Boston, said her system is preparing for the new encryption requirement, but they are also concerned about the cost and short window of compliance. The estimated cost is in the high six figures, said Grant, who noted the system is still in the process of reviewing their technology needs for meeting the encryption requirements. We agree with the hospital association that everybody needs more time, she added. In terms of the rule, its very detailed and very challenging, but we do believe its the right thing to do.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.