Today we are connected by ever more powerful devices with ever increasing communication capabilities. Moreover, more and more physical objects or “things” are embedded with electronics, software, sensors and connectivity to enable them to achieve greater value and service by exchanging data. As the amount of information and data being exchanged by communication and other devices increases, the ability to ensure privacy and security of the information and data is becoming harder and harder. For business and other entities looking to take advantage of modern communication and device capability to gather and use data, the difficulty in ensuring privacy and security of the data can lead to liability. A prime example of this is in the health care arena where patient health information is being gathered and exchanged.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 imposes specific requirements on the management of Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) by covered entities (e.g., physicians, hospitals, and insurance providers) as well as their business associates. The Act engendered a regulatory framework that includes the HIPAA Security Rule and HIPAA Privacy Rule (“HIPAA Rules”). Specifically, the HIPAA Security Rule mandates the use of specific physical, technical and administrative safeguards in information technology (IT) systems that store or transact with Electronic Protected Health Information (EPHI). Meanwhile, the HIPAA Privacy Rule sets protocols with respect to the correction, disclosure, and notification of PHI and EPHI.
One of the most salient aspects of the HIPAA Rules, and the related acts and regulations is that covered entities are held accountable for the security and management of the PHI and EPHI under their control. In practice, each item of PHI or EPHI is treated as being owned by at least one covered entity. This ownership paradigm avoids ambiguity about liability in the event of a security breach.
In addition to the formal medical records that are traditionally maintained for each patient, healthcare providers also routinely engage in ad hoc communication in order to coordinate and facilitate treatment for individual patients. Ad hoc communication can convey PHI and EPHI, and is therefore subject to the same HIPAA Rules as formal patient records. Nevertheless, healthcare providers must rely on legacy communication technologies (e.g., facsimile, paging, and email) to conduct ad hoc communication. Conventional modes of communication are generally insecure and cannot be readily adapted to comply with HIPAA rules.