Mahmood Sher-jan, vice president of product management with data-breach consulting firm ID Experts in Portland, Ore., says he's heard clients say the rule could force them to stop providing services to these self-pay opt-out patients, rather than risk breaching their security.
“They are to the point that they were going to refuse to provide (out-of-pocket) services to a patient because that puts them in a bind,” Sher-Jan says. “This is an ongoing concern, and I don't think it has been addressed.”
Understanding that section of the law has been one of the more stressful aspects of implementing the rule, but by no means the only challenge or lingering concern.
Another concern is the question of whether all computers—including desktop units—should have their data encrypted as a safeguard against security threats and potential government sanctions.
Encryption is not required, but compliance lawyers call it a “magic bullet” that can prevent data breaches. That's because if stolen data is encrypted consistent with guidelines certified by the National Institute of Standards and Technology, a breach is not considered to have taken place. In other words, the provider does not have to report a breach to patients or the government if the data is encrypted in ways that thieves should not be able to read it.
However, encryption can be costly, slow down network speeds, and make sensitive computers accessible to only one employee. While the majority of providers are already requiring it on laptops, experts say recent incidents involving stolen desktop units or even central computer servers have put the issue under a spotlight.
Meanwhile, lawyers and consultants have been busy addressing other issues in the law, particularly the updating of thousands of contracts with “business associates”—an expanded definition of which now imposes new data-security responsibilities and liabilities on virtually any entity that comes into contact with patients' protected health information, including subcontractors that do business with hospitals' partners.
That would include hospital contractors' cloud-computing providers, who might not even be aware yet that they are now liable under the expanded rules in the Health Insurance Portability and Accountability Act.
All told, the Office for Civil Rights estimated that U.S. healthcare providers and their contractors will spend about 620,000 hours preparing organizations for the new rule, and 32 million more hours complying with its various provisions each year, much of it on contracting.