At our practice we run a pretty tight ship when it comes to security of patient records. Why do we do this? Well there are 2 big reasons.
1. It's the right thing to do.
2. The law will put you in the hurt locker if you don't
I want to talk about reason 2 a little bit.
Why?
With all of this protection of health information and DTC genomics companies going bankrupt, I begin to really wonder who a covered entity is.
Daniel Vorhaus over at Genomics Law Review has a pretty good break down of it, but I think there may be some nuances not covered. As well as a notable lack of coverage of HITECH policies in the ARRA.
Wha?
Yes the recovery act has stuff on Health care privacy in it. In HIPAA DTC Genomics may not be covered, but I think in HITECH they are.
Why have I been reading this stuff? Because it's my job.
According to HITECH
H.R.1 150 Title XIII (HITECH)
SEC. 13404For the purposes of compliance with privacy and security regulations, a "covered entity" and its "business associate" are equally liable as if each were itself was a covered entity.
Which means if I send a DTC genomic test off with a doctor's order, AKA Illumina, a breach in that data due to the lab or interpretive business associate THEY are just as liable as the physician.
This means that DTC Genomic tests ordered by physicians fall into a completely more risky category than those ordered by Joe Blow.
This one risk may be why DTC is dying not to make these tests gatekeeper specific. Once these tests become gatekeeper specific, DTC will
A. No longer be DTC
B. No longer be free of HITECH and HIPAA
Which means a big 'ol nightmare for these companies as they want to emphasize the social networking part. You see, social networks have always balanced growth versus security and the same is true for any Internet Technology.
But let's say this is just one rogue hacker who has decided to hack a genome record ordered by a physician.......Via say a hacked email or website........
What is the penalty?
This is the scary part.
Sec. 1320d-6. Wrongful disclosure of individually identifiable health information (a) Offense A person who knowingly and in violation of this part-- (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section. (b) Penalties A person described in subsection (a) of this section shall-- (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
So let's say someone hacked a record to get the one up on you, maybe you are a political candidate or maybe a business competitor, or maybe they want to sue you.......If this rogue hacker performs an act of this on genomic information ordered by a doctor or that can be defined as PHI, these are the penalties. If it is not considered PHI, it is a far lesser offense.......So the question is, do you want these protections if you are a customer/patient? I would say Hell Yeah.But do you want them as a covered entity? Uhhhhh.....Ahem.......Well........As a doctor we have to follow these. Why shouldn't anyone else who has been given the responsibility of handling human samples?The Sherpa Says: As a consumer HITECH is great. But as a start up company it can prove to be a nightmare. But those who have to risk the most are the huge companies making millions of dollars....can you say class action lawsuit for millions? I know a few lawyers who would be interested in that! I wonder if the DTC Genomics investors thought of that
