At our practice we run a pretty tight ship when it comes to security of patient records. Why do we do this? Well there are 2 big reasons.
Thursday, January 7, 2010
1. It's the right thing to do.
2. The law will put you in the hurt locker if you don't
I want to talk about reason 2 a little bit.
With all of this protection of health information and DTC genomics companies going bankrupt, I begin to really wonder who a covered entity is.
Daniel Vorhaus over at Genomics Law Review has a pretty good break down of it, but I think there may be some nuances not covered. As well as a notable lack of coverage of HITECH policies in the ARRA.
Yes the recovery act has stuff on Health care privacy in it. In HIPAA DTC Genomics may not be covered, but I think in HITECH they are.
Why have I been reading this stuff? Because it's my job.
According to HITECH
Which means if I send a DTC genomic test off with a doctor's order, AKA Illumina, a breach in that data due to the lab or interpretive business associate THEY are just as liable as the physician.
This means that DTC Genomic tests ordered by physicians fall into a completely more risky category than those ordered by Joe Blow.
This one risk may be why DTC is dying not to make these tests gatekeeper specific. Once these tests become gatekeeper specific, DTC will
A. No longer be DTC
B. No longer be free of HITECH and HIPAA
Which means a big 'ol nightmare for these companies as they want to emphasize the social networking part. You see, social networks have always balanced growth versus security and the same is true for any Internet Technology.
But let's say this is just one rogue hacker who has decided to hack a genome record ordered by a physician.......Via say a hacked email or website........
What is the penalty?