Health Data Experts Praise Nod to Cybersecurity in SOTU Speech
January 21, 2015 in News
Ahead of Obama’s speech, the president detailed a proposal designed to prompt legislation on cybersecurity, which he said is “a growing public safety and public health” concern as more data are stored online.
Under the new plan, the federal government would grant limited liability protection to companies that promptly share cyberthreat information with the government. However, companies must take steps to remove any personally identifying data from the shared information (iHealthBeat, 1/14).
According to Modern Healthcare, the proposed information sharing criteria would be similar to those already created for electronic health record systems used in the meaningful use program. Under the 2009 economic stimulus package, providers who demonstrate meaningful use of certified EHRs can qualify for Medicaid and Medicare incentive payments (Modern Healthcare, 1/20).
Further, the proposal would expand the Department of Homeland Security’s outreach with certain organizations. For example, DHS would share cyberthreat data, such as Internet protocol addresses and routing information, with other federal agencies and private information-sharing organizations (iHealthBeat, 1/14).
Health Care Stakeholders’ Reactions
While Obama’s proposal is not specific to health care, several industry stakeholders highlighted its potential effects for health data.
Lisa Gallagher, vice president of technology solutions at the Healthcare Information and Management Systems Society, said Obama’s State of the Union address was a signal to lawmakers that the federal government believes cybersecurity is a sector that requires further action. She said, “It’s the administration coming out saying, ‘We recognize the threat.’”
Meanwhile, Daniel Nutkis — president and CEO of the Health Information Trust Alliance — said, “We’re really in favor of the government coming out with some guidelines,” noting that stakeholders need to be able to “consume” and “use” the cyberthreat information for the proposal to be effective.
Obama Calls for National Breach Notification Law
Meanwhile, Obama in his proposal called for a national data breach notification law, Modern Healthcare reports (Modern Healthcare, 1/20).
Under the proposal, affected individuals would have to be notified of a data breach within 30 days of discovery of the hack. The law would apply to “any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period” (Goedert, Health Data Management, 1/19).
According to Kirk Nahra, a lawyer with Willey Rein, the federal law would pre-empt 47 states’ similar notification laws.
However, Nahra said that the plan “carves out the banking and the health care industry, because they have their own breach laws.” He added that a draft proposal of the legislation would not alter HIPAA’s requirements (Modern Healthcare, 1/20).
Under HIPAA, the health care industry currently imposes a 60-day notification window (Health Data Management, 1/19).
However, the HIPAA amendment under the HITECH Act does not pre-empt state breach-notification laws, according to Nahra (Modern Healthcare, 1/20).