January 30, 2015
Cyber Laws: Healthcare Information Technology (HIT)
The federal government has undertaken several initiatives
to promote healthcare information technology (HIT), which
involves the exchange of health information in an electronic
environment. Many are increasingly concerned about the
protection of healthcare information and technology from
“Some 94 percent of medical institutions said their organizations
have been victims of a cyber attack, according to the Ponemon
Institute. Now, with the push to digitize all health care records,
the emergence of HealthCare.gov and an outpouring of
electronic protected health information (ePHI) being exchanged
online, even more attack surfaces are being exposed in the health
care field.” SANS Institute, SANS Health Care Cyberthreat
Report 2, Feb. 2014.
Forbes Magazine, http://www.forbes.com/sites/danmunro/
2014/12/21/the-top-u-s-healthcare-story-for-2014cybersecurity/, selected cybersecurity as the top U.S.
healthcare story for 2014 because of:
• The SANS healthcare cyberthreat report, which
characterized the data as alarming, confirmed the
industry’s vulnerability, and revealed that the industry
was far behind in cybersecurity.
• The FBI Private Industry Notification (PIN) to the
healthcare industry, which warned healthcare providers
that their cybersecurity systems are lax compared with
• The breach of 4.5 million health records at Community
Health Systems—the second largest U.S. hospital chain.
• The Sony Pictures breach—which included detailed
employee, spouse and dependent medical information.
Figure 1. Categories in Healthcare Compromised
Source: CRS prepared chart. Data from SANS Institute, SANS
Health Care Cyberthreat Report, Feb. 2014, http://pages.norsecorp.com/rs/norse/images/Norse-SANS-Healthcare-CyberthreatReport2014.pdf.
Laws to Promote HIT
What began in 1996 with Congress’s passage of the Health
Insurance Portability and Accountability Act (HIPAA) to
facilitate the development of a health information system.
This was followed in 2004 by President Bush’s initiative to
make electronic health records (EHRs) available to most
Americans within 10 years and the signing of the American
Recovery and Reinvestment Act of 2009 (ARRA) by
President Obama, which authorized $22 billion for HIT
efforts. Included in ARRA is the Health Information
Technology for Economic and Clinical Health Act
(HITECH Act), which promotes health information
technology through codification of the role of the Office of
the National Coordinator for Health Information
Technology (ONCHIT); adoption of standards for health
information technology; creation of grants and loan
programs to promote wider HIT use among health care
practitioners; and expansion of privacy and security
requirements for protected health information. The
HITECH Act also includes financial incentives for
Medicare and Medicaid health care providers who make
meaningful use of electronic health records.
HealthCare.gov: Privacy and Security
HealthCare.gov was created by the Patient Protection and
Affordable Care Act (ACA; P.L. 111-148, as amended) to
help individuals purchase health insurance. HealthCare.gov
is the federal “Data Services Hub,” which collects
voluntarily submitted, personally identifiable information
(PII) from consumers; routes the applicant’s PII to federal
agencies for verification; and shares the PII with the state
Exchanges, health plans, and state and local agencies for
enrollment. The Hub connects to existing federal and state
databases, using computer matching programs, to verify
identity, citizenship, income, family size, immigration
status, incarceration, and minimum essential coverage.
The ACA Privacy and Security Rule provides that, where
the Exchange creates or collects PII for eligibility
determinations, the Exchange may only use or disclose such
PII to the extent necessary to carry out an Exchange
function. An Exchange is not permitted to create, collect, or
disclose PII for authorized functions unless the creation,
collection, use, or disclosure is consistent with ACA’s
privacy and security standard. Other privacy and security
laws and regulations applicable to HealthCare.gov provide
• The Privacy Act governs the means by which federal
agencies and their contractors collect, maintain, use, and
disclose PII in a system of records. 5 U.S.C. § 552a.
• The Health Insurance Exchanges (HIX) system of
records notice (SORN) regulates the collection, creation,
www.crs.gov | 7-5700
Cyber Laws: Healthcare Information Technology (HIT)
use and disclosure of PII on individuals who apply for
eligibility determinations, and the performance of
Exchange functions. 78 Fed. Reg. 8538.
• The ACA Privacy and Security Rule for Health
Exchanges includes standards to safeguard PII collected,
used, and disclosed by Healthcare.gov and the state
health Exchanges; and require the Exchanges to
implement privacy and security policies., 45 C.F.R. Part
155. For example, the DC Health Benefit Exchange
Authority (“Authority”), http://hbx.dc.gov/, has adopted
privacy and security policies.
• The E-Government Act requires federal agencies to
conduct Privacy Impact Assessments (PIA) prior to
sharing PII. P.L. 107-347.
Federal agencies and their contractors must adhere to
the Federal Information Security Management Act
(FISMA) in developing, documenting, and
implementing programs to provide security for federal
government information and information systems. 44
U.S.C. Chapter 35, Subchapters II and III.
Exchanges and their contractors must adhere to the
taxpayer privacy and data safeguard requirements of the
Internal Revenue Code, 26 U.S.C. § 6103.
At its launch, HealthCare.gov was heavily criticized for its
security flaws. Recently, it has come under renewed
criticism for sharing sensitive personal information with
private companies that specialize in advertising and data
analysis. More than 50 companies are reported to have
gained access to the personal information of millions.
HealthCare.gov’s privacy policies state that “no personally
identifiable information” is collected by third-party web
measurement tools. In response, HHS announced that it
would launch a review of its privacy policies, contracts for
third-party tools and URL construction.
HIPAA Privacy, Security, and Breach
Notification Rules, 45 C.F.R. Part 160
The HIPAA Privacy Rule. HHS issued the final Privacy
Rule on April 14, 2003, applicable to health plans, health
care clearinghouses, and health care providers who transmit
financial and administrative transactions electronically. The
rule regulates protected health information (PHI) that is
“individually identifiable health information” transmitted
by or maintained in electronic, paper, or any other medium.
The HIPAA Privacy Rule limits the circumstances under
which an individual’s protected health information may be
used or disclosed by covered entities. A covered entity is
permitted to use or disclose protected health information
without patient authorization for treatment, payment, or
health care operations. For other purposes, a covered entity
may only use or disclose PHI with patient authorization
subject to certain exceptions. Exceptions permit the use or
disclosure of PHI without patient authorization or prior
agreement for public health, judicial, law enforcement, and
other specialized purposes.
HIPAA Security Rule in 2003. The Security Rule applies
only to protected health information in electronic form
(EPHI), and requires a covered entity to ensure the
confidentiality, integrity, and availability of all EPHI the
covered entity creates, receives, maintains, or transmits.
Covered entities must protect against any reasonably
anticipated threats or hazards to the security or integrity of
such information and any reasonably anticipated uses or
disclosures of such information that are not permitted or
required under the Privacy Rule and ensure compliance by
their workforces. The Centers for Medicare and Medicaid
Services (CMS) has been delegated authority to enforce the
HIPAA Security Rule. The Security Rule establishes
“standards” that covered entities must meet, accompanied
by implementation specifications for each standard. The
Security Rule identifies three categories of standards:
administrative, physical, and technical.
Notice of Unauthorized Disclosure of PHI. The HITECH
Act requires a covered entity to notify affected individuals
when it discovers that their unsecured PHI (defined in HHS
guidance) has been, or is reasonably believed to have been,
breached. This requirement applies to covered entities that
access, maintain, retain, modify, record, store, destroy, or
otherwise hold, use, or disclose unsecured protected health
information. The scope of notification is dependent upon
the number of individuals involved. The Secretary of HHS
must be notified, and must list on the website covered
entities with breaches involving more than 500 individuals.
Generally, notice must be given without unreasonable
delay, but no later than 60 days after the breach is
discovered. Delayed notification is permitted for law
enforcement purposes if notice would impede a criminal
investigation or cause damage to national security.
Notification of a breach must include a description of what
occurred; the types of information involved; steps
individuals should take; what the covered entity is doing to
investigate, mitigate, and protect against further harm; and
contact information. Annually, the Secretary is required to
submit a report to Congress on the breaches and actions.
Notice of Unauthorized Disclosure of PHRs. The
HITECH Act also includes a breach notification
requirement for personal health records (PHR) vendors,
service providers to PHR vendors, and PHR servicers that
are not covered entities or business associates. These
entities are required to notify citizens and residents of the
United States whose unsecured “PHR identifiable health
information” has been, or is believed to have been,
breached. Covered entities are also required to notify the
Federal Trade Commission (FTC). The requirements
regarding notifications are identical to the requirements
applicable to breaches of unsecured PHI.
Gina Stevens, firstname.lastname@example.org, 7-2581
The HIPAA Security Rule. HIPAA also required adoption
of a national security standard for the protection of
individually identifiable health information. HHS issued the
www.crs.gov | 7-5700