Senior Communications Manager
Privacy Practice Chair Kirk Nahra Comments on HHS Data Protection Rules
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice, was quoted in a January 18 GigaOM article about long-awaited health-care privacy rule changes announced by the U.S. Department of Health and Human Services (HHS).
The updated Health Insurance Portability and Accountability Act’s (HIPAA) rules, in addition to covering health care providers, doctors and insurance companies, also apply to their “business associates” such as contractors or service providers, Mr. Nahra told GigaOM. That could include electronic health record companies, telehealth companies and others that contract with hospitals or insurance companies, he said.
To comply with the rules, Mr. Nahra said companies may need to take steps such as evaluating the extent to which they encrypt data, training all employees on privacy and security, developing appropriate information-disposal procedures, designating a security official and implementing appropriate contracts with subcontractors.
“They need to consider whom they are doing business with, how they will obtain information from those in the circle, whether they can sell their product to enough people without getting into the circle and how to build sufficient confidence with these other entities (and consumers),” Mr. Nahra added.
The new rules raise the maximum penalty for negligence, strengthen data breach notification requirements under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act and provide new requirements on the use of patient information for fundraising and marketing, according to the GigaOM article.
“It’s a big deal,” Mr. Nahra said. “The government hasn’t been incredibly aggressive about enforcing it, but they’re getting more aggressive.”