Thursday, January 7, 2010

Hackers, HITECH and HIPAA in DTC Genomics, Oh My!

At our practice we run a pretty tight ship when it comes to security of patient records. Why do we do this? Well there are 2 big reasons.

1. It's the right thing to do.
2. The law will put you in the hurt locker if you don't

I want to talk about reason 2 a little bit.

With all of this protection of health information and DTC genomics companies going bankrupt, I begin to really wonder who a covered entity is.

Daniel Vorhaus over at Genomics Law Review has a pretty good break down of it, but I think there may be some nuances not covered. As well as a notable lack of coverage of HITECH policies in the ARRA.


Yes the recovery act has stuff on Health care privacy in it. In HIPAA DTC Genomics may not be covered, but I think in HITECH they are.

Why have I been reading this stuff? Because it's my job.

According to HITECH

H.R.1 150 Title XIII (HITECH)
SEC. 13404

For the purposes of compliance with privacy and security regulations, a "covered entity" and its "business associate" are equally liable as if each were itself was a covered entity.

Which means if I send a DTC genomic test off with a doctor's order, AKA Illumina, a breach in that data due to the lab or interpretive business associate THEY are just as liable as the physician.

This means that DTC Genomic tests ordered by physicians fall into a completely more risky category than those ordered by Joe Blow.

This one risk may be why DTC is dying not to make these tests gatekeeper specific. Once these tests become gatekeeper specific, DTC will

A. No longer be DTC
B. No longer be free of HITECH and HIPAA

Which means a big 'ol nightmare for these companies as they want to emphasize the social networking part. You see, social networks have always balanced growth versus security and the same is true for any Internet Technology.

But let's say this is just one rogue hacker who has decided to hack a genome record ordered by a physician.......Via say a hacked email or website........

What is the penalty?

This is the scary part.

Sec. 1320d-6. Wrongful disclosure of individually identifiable          health information           (a) Offense      A person who knowingly and in violation of this part--         (1) uses or causes to be used a unique health identifier;         (2) obtains individually identifiable health information      relating to an individual; or         (3) discloses individually identifiable health information to      another person,  shall be punished as provided in subsection (b) of this section.  (b) Penalties      A person described in subsection (a) of this section shall--         (1) be fined not more than $50,000, imprisoned not more than 1      year, or both;          (2) if the offense is committed under false pretenses, be fined      not more than $100,000, imprisoned not more than 5 years, or both;      and         (3) if the offense is committed with intent to sell, transfer,      or use individually identifiable health information for commercial      advantage, personal gain, or malicious harm, be fined not more than      $250,000, imprisoned not more than 10 years, or both. 

So let's say someone hacked a record to get the one up on you, maybe you are a political candidate or maybe a business competitor, or maybe they want to sue you.......
If this rogue hacker performs an act of this on genomic information ordered by a doctor or that can be defined as PHI, these are the penalties. If it is not considered PHI, it is a far lesser offense.......
So the question is, do you want these protections if you are a customer/patient? I would say Hell Yeah.
But do you want them as a covered entity? Uhhhhh.....Ahem.......Well........
As a doctor we have to follow these. Why shouldn't anyone else who has been given the responsibility of handling human samples?
The Sherpa Says: As a consumer HITECH is great. But as a start up company it can prove to be a nightmare. But those who have to risk the most are the huge companies making millions of dollars....can you say class action lawsuit for millions? I know a few lawyers who would be interested in that! I wonder if the DTC Genomics investors thought of that


Andrew Y said...

Oh, and the feds are after you if you have a website that is not yet obviously a covered entity or its business associate.

H.R.1 150 Congress, Title XIII (HITECH)

Section 13424

(1) STUDY.—Not later than one year after the date of the
enactment of this title, the Secretary, in consultation with
the Federal Trade Commission, shall conduct a study, and
submit a report under paragraph (2), on privacy and security
requirements for entities that are not covered entities or busi-
ness associates as of the date of the enactment of this title,
(A) requirements relating to security, privacy, and
notification in the case of a breach of security or privacy
(including the applicability of an exemption to notification
in the case of individually identifiable health information
that has been rendered unusable, unreadable, or indeci-
pherable through technologies or methodologies recognized
by appropriate professional organization or standard set-
ting bodies to provide effective security for the information)
that should be applied to—
(i) vendors of personal health records;
(ii) entities that offer products or services through
the website of a vendor of personal health records;
(iii) entities that are not covered entities and that
offer products or services through the websites of cov-
ered entities that offer individuals personal health
(iv) entities that are not covered entities and that
access information in a personal health record or send
information to a personal health record; and
(v) third party service providers used by a vendor
or entity described in clause (i), (ii), (iii), or (iv) to
assist in providing personal health record products or

Dan Vorhaus said...

Steve -

You are correct that the ARRA, specifically the HITECH portion of the Act, expanded HIPAA's security provisions (and penalties) to cover business associates and covered entities equally (although I think the specific provisions you want to reference are Sec. 13401(a) and Sec. 13401(b)).

However, let's keep in mind that, as Emily and Lawrence discussed in their original post (, companies providing direct-to-consumer (DTC) services are, by definition, not operating through a covered entity and are therefore unlikely to be classified as business associates subject to HIPAA's privacy protections. The situation is not so clear for other companies that are often categorized as DTC but may more accurately be described as direct-to-consumer-via-provider, which is the situation that seems to concern you.

There are plenty who share your confusion about why HIPAA's privacy rules should apply to some genetic testing providers and not others and, as Andrew rightly points out (and as was also discussed in the original piece on the Genomics Law Report), there is joint HHS/FTC study that is investigating just this issue. We will hope to see their findings some time this Spring.

- Dan

Steve Murphy MD said...

Thank you so much. That's why I love your blog! I learn so much and it stimulates me to read more.

Glad you are in this space!