Health+Benefits the May 2013 issue

New Medical Privacy Rules Shift Your Risk

Q&A with Ben Beeson, Partner, Global Technology & Privacy Practice, Lockton Cos.
Posted on April 22, 2013

What’s the threat to personal medical information from hackers?

Medical information is an increasingly lucrative area because what medical information can help you do is steal someone’s identity. When you’ve got someone’s identity, you can open bank accounts, access free healthcare, do all sort of different things, and make money that way.

Healthcare has come under more intense scrutiny for data security, why?

The (U.S. Department of Health and Human Services) has just come out with a final security and privacy ruling under HIPAA that is more stringent than any other industry vertical around data security and privacy. It’s the only federal requirement to notify individuals following a breach of their PHI [personal health care information]. It’s driven at the state level for every other type of personally identifiable information. More importantly, what it’s done, which is quite challenging for anybody handling PHI, is it’s made the vendors, the business associates, as liable in law as the covered entities, such as hospitals.

What impact has that had on the industry?

There is a lot of wrangling between covered entities and business associates. They’re trying to push that risk one way, and the vendor is trying to push it back as much as they can. By that I mean, who’s going to do the notification, who’s going to pay for that; who’s going to help to those affected, who’s going to pay for that? 

What does it mean for healthcare companies?

It means that this risk no longer sits within your IT department. This is a boardroom risk. Non-compliance with HIPAA has such bad consequences for you as a healthcare organization that you now must realize at a board level that you have to address it properly.

More in Health+Benefits