About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 (January 30, 2015)

handle is hein.crs/crsuntaaidc0001 and id is 1 raw text is: , Congressional Research Service lnforrming the Iegislative debate since 1914 January 30, 2015 Cyber Laws: Healthcare Information Technology (HIT) The federal government has undertaken several initiatives to promote healthcare information technology (HIT), which involves the exchange of health information in an electronic environment. Many are increasingly concerned about the protection of healthcare information and technology from cyberattacks. Some 94 percent of medical institutions said their organizations have been victims of a cyber attack, according to the Ponemon Institute. Now, with the push to digitize all health care records, the emergence of HealthCare.gov and an outpouring of electronic protected health information (ePHI) being exchanged online, even more attack surfaces are being exposed in the health care field. SANS Institute, SANS Health Care Cyberthreat Report 2, Feb. 2014. Forbes Magazine, http://www.forbes.com/sites/darnunro/ 2014/12/2 1/the-top-u-s-healthcare-story-for-20 14- cybersecurity/, selected cybersecurity as the top U.S. healthcare story for 2014 because of: * The SANS healthcare cyberthreat report, which characterized the data as alarming, confirmed the industry's vulnerability, and revealed that the industry was far behind in cybersecurity. * The FBI Private Industry Notification (PIN) to the healthcare industry, which warned healthcare providers that their cybersecurity systems are lax compared with other sectors. * The breach of 4.5 million health records at Community Health Systems-the second largest U.S. hospital chain. * The Sony Pictures breach-which included detailed employee, spouse and dependent medical information. Figure I. Categories in Healthcare Compromised Health care clearinghouses, 0.5% i Pharmaceutica ,2.9% H-lea Ith plans, 6.1% Other related health care ties, 8.5% Source: CRS prepared chart. Data from SANS Institute, SANS Health Care Cyberthreat Report, Feb. 2014, http://pages.norse- corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberth reat- Report2OI4.pdf. Laws to Promote HIT What began in 1996 with Congress's passage of the Health Insurance Portability and Accountability Act (HIPAA) to facilitate the development of a health information system. This was followed in 2004 by President Bush's initiative to make electronic health records (EHRs) available to most Americans within 10 years and the signing of the American Recovery and Reinvestment Act of 2009 (ARRA) by President Obama, which authorized $22 billion for HIT efforts. Included in ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which promotes health information technology through codification of the role of the Office of the National Coordinator for Health Information Technology (ONCHIT); adoption of standards for health information technology; creation of grants and loan programs to promote wider HIT use among health care practitioners; and expansion of privacy and security requirements for protected health information. The HITECH Act also includes financial incentives for Medicare and Medicaid health care providers who make meaningful use of electronic health records. HeaIthCare.gov: Privacy and Security HealthCare.gov was created by the Patient Protection and Affordable Care Act (ACA; P.L. 111-148, as amended) to help individuals purchase health insurance. HealthCare.gov is the federal Data Services Hub, which collects voluntarily submitted, personally identifiable information (PII) from consumers; routes the applicant's PII to federal agencies for verification; and shares the PII with the state Exchanges, health plans, and state and local agencies for enrollment. The Hub connects to existing federal and state databases, using computer matching programs, to verify identity, citizenship, income, family size, immigration status, incarceration, and minimum essential coverage. The ACA Privacy and Security Rule provides that, where the Exchange creates or collects PII for eligibility determinations, the Exchange may only use or disclose such PII to the extent necessary to carry out an Exchange function. An Exchange is not permitted to create, collect, or disclose PII for authorized functions unless the creation, collection, use, or disclosure is consistent with ACA's privacy and security standard. Other privacy and security laws and regulations applicable to HealthCare.gov provide as follows: * The Privacy Act governs the means by which federal agencies and their contractors collect, maintain, use, and disclose PI in a system of records. 5 U.S.C. § 552a. * The Health Insurance Exchanges (HIX) system of records notice (SORN) regulates the collection, creation, www.crs.gov 7-5700 -Health care business associates, 9.9%

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most