Cyber Laws: Healthcare Information Technology (HIT)
Updated January 30, 2015
Cyber Laws: Healthcare Information Technology (HIT)
The federal government has undertaken several initiatives
Laws to Promote HIT
to promote healthcare information technology (HIT), which
What began in 1996 with Congress’s passage of the Health
involves the exchange of health information in an electronic
Insurance Portability and Accountability Act (HIPAA) to
environment. Many are increasingly concerned about the
facilitate the development of a health information system.
protection of healthcare information and technology from
This was followed in 2004 by President Bush’s initiative to
cyberattacks.
make electronic health records (EHRs) available to most
Americans within 10 years and the signing of the American
“Some 94 percent of medical institutions said their organizations
Recovery and Reinvestment Act of 2009 (ARRA) by
have been victims of a cyber attack, according to the Ponemon
President Obama, which authorized $22 billion for HIT
Institute. Now, with the push to digitize all health care records,
efforts. Included in ARRA is the Health Information
the emergence of HealthCare.gov and an outpouring of
Technology for Economic and Clinical Health Act
electronic protected health information (ePHI) being exchanged
(HITECH Act), which promotes health information
online, even more attack surfaces are being exposed in the health
technology through codification of the role of the Office of
care field.” SANS Institute, SANS Health Care Cyberthreat
the National Coordinator for Health Information
Report 2, Feb. 2014.
Technology (ONCHIT); adoption of standards for health
information technology; creation of grants and loan
programs to promote wider HIT use among health care
Forbes Magazine, http://www.forbes.com/sites/danmunro/
practitioners; and expansion of privacy and security
2014/12/21/the-top-u-s-healthcare-story-for-2014-
requirements for protected health information. The
cybersecurity/, selected cybersecurity as the top U.S.
HITECH Act also includes financial incentives for
healthcare story for 2014 because of:
Medicare and Medicaid health care providers who make
meaningful use of electronic health records.
The SANS healthcare cyberthreat report, which
characterized the data as alarming, confirmed the
HealthCare.gov: Privacy and Security
industry’s vulnerability, and revealed that the industry
was far behind in cybersecurity.
HealthCare.gov was created by the Patient Protection and
Affordable Care Act (ACA; P.L. 111-148, as amended) to
The FBI Private Industry Notification (PIN) to the
help individuals purchase health insurance. HealthCare.gov
healthcare industry, which warned healthcare providers
is the federal “Data Services Hub,” which collects
that their cybersecurity systems are lax compared with
voluntarily submitted, personally identifiable information
other sectors.
(PII) from consumers; routes the applicant’s PII to federal
The breach of 4.5 million health records at Community
agencies for verification; and shares the PII with the state
Health Systems—the second largest U.S. hospital chain.
Exchanges, health plans, and state and local agencies for
enrollment. The Hub connects to existing federal and state
The Sony Pictures breach—which included detailed
databases, using computer matching programs, to verify
employee, spouse and dependent medical information.
identity, citizenship, income, family size, immigration
Figure 1. Categories in Healthcare Compromised
status, incarceration, and minimum essential coverage.
The ACA Privacy and Security Rule provides that, where
the Exchange creates or collects PII for eligibility
determinations, the Exchange may only use or disclose such
PII to the extent necessary to carry out an Exchange
function. An Exchange is not permitted to create, collect, or
disclose PII for authorized functions unless the creation,
collection, use, or disclosure is consistent with ACA’s
privacy and security standard. Other privacy and security
laws and regulations applicable to HealthCare.gov provide
as follows:
The Privacy Act governs the means by which federal
Source: CRS prepared chart. Data from SANS Institute, SANS
agencies and their contractors collect, maintain, use, and
Health Care Cyberthreat Report, Feb. 2014, http://pages.norse-
disclose PII in a system of records. 5 U.S.C. § 552a.
corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-
Report2014.pdf.
The Health Insurance Exchanges (HIX) system of
records notice (SORN) regulates the collection, creation,
use and disclosure of PII on individuals who apply for
https://crsreports.congress.gov
Cyber Laws: Healthcare Information Technology (HIT)
eligibility determinations, and the performance of
individually identifiable health information. HHS issued the
Exchange functions. 78 Fed. Reg. 8538.
HIPAA Security Rule in 2003. The Security Rule applies
only to protected health information in electronic form
The ACA Privacy and Security Rule for Health
(EPHI), and requires a covered entity to ensure the
Exchanges includes standards to safeguard PII collected,
confidentiality, integrity, and availability of all EPHI the
used, and disclosed by Healthcare.gov and the state
covered entity creates, receives, maintains, or transmits.
health Exchanges; and require the Exchanges to
Covered entities must protect against any reasonably
implement privacy and security policies., 45 C.F.R. Part
anticipated threats or hazards to the security or integrity of
155. For example, the DC Health Benefit Exchange
such information and any reasonably anticipated uses or
Authority (“Authority”), http://hbx.dc.gov/, has adopted
disclosures of such information that are not permitted or
privacy and security policies.
required under the Privacy Rule and ensure compliance by
The E-Government Act requires federal agencies to
their workforces. The Centers for Medicare and Medicaid
conduct Privacy Impact Assessments (PIA) prior to
Services (CMS) has been delegated authority to enforce the
sharing PII. P.L. 107-347.
HIPAA Security Rule. The Security Rule establishes
“
standards” that covered entities must meet, accompanied
Federal agencies and their contractors must adhere to
by implementation specifications for each standard. The
the Federal Information Security Management Act
Security Rule identifies three categories of standards:
(FISMA) in developing, documenting, and
administrative, physical, and technical.
implementing programs to provide security for federal
government information and information systems. 44
Notice of Unauthorized Disclosure of PHI. The HITECH
U.S.C. Chapter 35, Subchapters II and III.
Act requires a covered entity to notify affected individuals
Exchanges and their contractors must adhere to the
when it discovers that their unsecured PHI (defined in HHS
taxpayer privacy and data safeguard requirements of the
guidance) has been, or is reasonably believed to have been,
Internal Revenue Code, 26 U.S.C. § 6103.
breached. This requirement applies to covered entities that
At its launch, HealthCare.gov was heavily criticized for its
access, maintain, retain, modify, record, store, destroy, or
security flaws. Recently, it has come under renewed
otherwise hold, use, or disclose unsecured protected health
criticism for sharing sensitive personal information with
information. The scope of notification is dependent upon
private companies that specialize in advertising and data
the number of individuals involved. The Secretary of HHS
analysis. More than 50 companies are reported to have
must be notified, and must list on the website covered
gained access to the personal information of millions.
entities with breaches involving more than 500 individuals.
HealthCare.gov’s privacy policies state that “no personally
Generally, notice must be given without unreasonable
identifiable information” is collected by third-party web
delay, but no later than 60 days after the breach is
measurement tools. In response, HHS announced that it
discovered. Delayed notification is permitted for law
would launch a review of its privacy policies, contracts for
enforcement purposes if notice would impede a criminal
third-party tools and URL construction.
investigation or cause damage to national security.
Notification of a breach must include a description of what
HIPAA Privacy, Security, and Breach
occurred; the types of information involved; steps
Notification Rules, 45 C.F.R. Part 160
individuals should take; what the covered entity is doing to
The HIPAA Privacy Rule. HHS issued the final Privacy
investigate, mitigate, and protect against further harm; and
Rule on April 14, 2003, applicable to health plans, health
contact information. Annually, the Secretary is required to
care clearinghouses, and health care providers who transmit
submit a report to Congress on the breaches and actions.
financial and administrative transactions electronically. The
rule regulates protected health information (PHI) that is
Notice of Unauthorized Disclosure of PHRs. The
“individually identifiable health information” transmitted
HITECH Act also includes a breach notification
by or maintained in electronic, paper, or any other medium.
requirement for personal health records (PHR) vendors,
service providers to PHR vendors, and PHR servicers that
The HIPAA Privacy Rule limits the circumstances under
are not covered entities or business associates. These
which an individual’s protected health information may be
entities are required to notify citizens and residents of the
used or disclosed by covered entities. A covered entity is
United States whose unsecured “PHR identifiable health
permitted to use or disclose protected health information
information” has been, or is believed to have been,
without patient authorization for treatment, payment, or
breached. Covered entities are also required to notify the
health care operations. For other purposes, a covered entity
Federal Trade Commission (FTC). The requirements
may only use or disclose PHI with patient authorization
regarding notifications are identical to the requirements
subject to certain exceptions. Exceptions permit the use or
applicable to breaches of unsecured PHI.
disclosure of PHI without patient authorization or prior
agreement for public health, judicial, law enforcement, and
Gina Stevens, Legislative Attorney
other specialized purposes.
IF10114
The HIPAA Security Rule. HIPAA also required adoption
of a national security standard for the protection of
https://crsreports.congress.gov
Cyber Laws: Healthcare Information Technology (HIT)
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10114 · VERSION 2 · UPDATED