Health Care Law Blog

"It's a war we're in." That's how John Halamka, the chief information officer of Boston-based Beth Israel Deaconess Medical Center, described the current state of affairs between the health care industry and the hackers and identity thieves who are trying to steal patient records.

A recent Boston Globe article detailed the threat and provided some interesting - and sobering - statistics and information:

• There is high demand for health records, and a single health record may be worth $50 according to the FBI
• Criminal intrusions into health care systems have risen 100 percent in the past four years
• Of 614 total identity theft breaches in 2013, 269 (43.8 percent) were in health care (the most of any industry)
• Despite being the subject of the most attacks, a recent study by BitSight Technologies found that health care providers are the slowest in any industry to respond to data breaches.

Hackers are motivated to target health records in order to facilitate identity theft, financial fraud and illegal drug use. The Boston Globe article, in particular, highlighted two recent incidents involving cyber-security breaches:  (1) Chinese hackers seized the personal information of 4.5 million patients at a Tennessee-based hospital network, and (2) federal officials disclosed on September 4 that a hacker managed to install malicious software on HealthCare.gov.

The Final HIPAA Omnibus Rule ("Final Rule"), published January 25, 2013, contains several new requirements for business associate ("BA") agreements. While the requirements went into effect on September 23, 2013, grandfathered BA agreements that were in place prior to January 25, 2013 were deemed to be in compliance for one year. Now that the one year expiration of the deemed compliance is quickly approaching, covered entities and business associates must ensure that their grandfathered BA agreements are updated to comply with the Final Rule before the September 22, 2014 deadline.

To meet the deadline, covered entities and business associates should review and update all existing BA agreements to determine whether they are HIPAA-compliant. The Final Rule also requires business associates to have written BA agreements with their subcontractors that comply with the new requirements.

Michigan legislators Gretchen Whitmer (D- East Lansing) and Gretchen Driskell (D-Saline) plan to introduce a bill in the Senate and House this week entitled the "Reproductive Health Coverage Information Act," which would require employers to provide both prospective and current employees with information about health insurance coverage relating to reproductive health.