Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part III

Posted in Privacy & Security, Sensitive Health Information

By Michael J. Kline and Elizabeth Litten

(Part III continues Part I and Part II of this series on privacy of health information in the domestic relations context, which may be found here and here. Capitalized words not defined in this Part III shall have the meanings assigned in Part I or Part II.)

6. The situation can be further complicated by the fact that the Affordable Care Act requires Insurers that offer dependent coverage to make the coverage available until the adult child reaches the age of 26 to avoid loss of health insurance for students after they graduate from college. Most Insurers permit adult children of 18 or over (e.g., those emancipated under state law) to block access to claims information by their parents, regardless of the fact the parent is paying for the coverage. Such an adult child is typically not a party to divorce settlements or decrees. In some states even minor children below the age of 18 may be permitted to block access to claims information by their parents.

7. HIPAA permits an individual to require a Provider to agree to the request of such individual to restrict disclosure of protected health information (“PHI, as defined in HIPAA) about such individual to an Insurer if:

a. The disclosure is for the purpose of carrying out payment or health care operations (but not treatment) and is not otherwise required by law; and

b. The PHI pertains solely to a health care item or service for which the individual, or person other than the Insurer on behalf of the individual, has paid the Provider in full.

Adopting this payment approach may allow an individual to prevent his/her spouse from learning about specific events of diagnosis and treatment relating to such individual or his/her custodial children that would otherwise be available by access to claims information through an Insurer.

8. HIPAA provides that individuals have the right to request restrictions on how a Provider will use and disclose PHI about them for treatment, payment, and health care operations. A Provider is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees. This type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

9. HIPAA also provides that individuals may request receiving confidential communications from a Provider, either at alternative locations or by alternative means. For example, an individual may request that her Provider call her at her office, rather than her home. A Provider must accommodate an individual’s reasonable request for such confidential communications. An Insurer must accommodate an individual’s reasonable request for confidential communications, if the individual clearly states that not doing so could endanger him or her. Again, as in item 8, this type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

10. A wide range of changes in circumstances, such as a change in employment and/or Insurer, obtaining services from a new Provider, relocation to a different state, changes in state law, reaching of majority age by children and/or life event changes that relate to provisions in a divorce or separation agreement or decree warrants revisiting these tips from time to time. HIPAA rights and responsibilities must be re-evaluated regularly in the context of the facts and circumstances involved at any given time.

Conclusion

The foregoing discussion refers to only a few of the many permutations of issues that may arise regarding IHI in the domestic relations context. It is intended to indicate the wide diversity of challenges and opportunities that spouses and domestic partners may encounter regarding access and blocking access to IHI. Individuals who need advice regarding legal aspects of their domestic relationships and/or disputes should seek counsel of professionals who have familiarity with the ramifications, complexities and continuous changes involving HIPAA, state privacy laws and IHI.

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part II

Posted in Privacy & Security, Sensitive Health Information

By Michael J. Kline and Elizabeth Litten

(Part I of this series on privacy of health information in the domestic relations context may be found here. Capitalized words not defined in this Part II shall have the meanings assigned in Part I.)

Tips on dealing with IHI Issues in the Domestic Relations Context

1. Whether an individual is in a stable domestic relations environment or involved in the breakdown of a relationship, careful attention should be given the Notice of Privacy Practices (“NPP”) of the healthcare provider (“Provider”) or health insurer or health plan (collectively, “Insurer”) as to (i) who is entitled to access IHI in the possession of such Provider or Insurer and (ii) the extent to which a patient or subscriber has the right to block such access. For example, an employee subscriber of an employer health plan typically has access not only to all of his/her claims information, but also to all of the claims information of a covered estranged spouse and of dependents, even if such subscriber is not the custodial parent.

2. To the extent that an NPP of a Provider or Insurer does not answer a question about IHI access and blocking in the domestic context, an individual should direct the question to the Provider or Insurer, as applicable. However, there may not be a clear answer forthcoming.

3. Most Insurers permit a covered spouse to block access to his/her claims information from the other spouse, even if such other spouse is the employee subscriber or person responsible for paying for health care coverage. This is a matter that should be addressed in a domestic relations agreement because the spouse that is paying for health care coverage may have his/her premiums, copays, deductibles and limits of coverage affected by the claims of the other spouse. The desire to block access to IHI by the other spouse may be heightened in the case of diagnosis and treatment for sensitive health matters, such as mental illness, substance abuse, infectious diseases, etc. (This last consideration can be present even in a stable domestic relationship where a spouse wants to avoid disclosure regarding such potential ailments, even perhaps to prevent undue anxiety by the other spouse.)

4. Similarly, many Insurers will permit a spouse who has custody of children to block access to the claims information of such children from the other spouse, even if such other spouse is the employee subscriber or person who is paying for the health care coverage for the children. Again, consideration should be given to addressing this matter in a domestic relations agreement or divorce order or agreement because the spouse that is paying for health care coverage may have his/her premiums, copays, deductibles and coverage limits affected by unknown claims of children with respect to whom he/she lacks custody. Moreover, the custodial parent may wish to prevent access by the other parent to prevent what the custodial parent deems to be potential interference with the custodial parent’s discretion as to the appropriate course of treatment and provision of health care services to the children. The HIPAA Privacy Rule generally allows a parent to have access to the child’s medical records and claims information as the child’s personal representative, as long as such access is not inconsistent with state or other applicable law.  Regardless, however, of whether a parent is the personal representative of a minor child, the HIPAA Privacy Rule defers to state or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child.

5. Where there is shared custody of children, the issue can become even murkier. Without an agreement, there can be a new and unexpected domestic battlefield regarding access, control and blocking of IHI. While HIPAA requires a covered entity Insurer or Provider to treat a person that has authority (under applicable law) to act on behalf of another individual as the individual’s personal representative (thereby treating the personal representative as the individual), a Provider may choose not to treat a parent as a personal representative in certain circumstances, including where the Provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.

(Part III of this series on privacy of health information in the domestic relations context will be posted shortly.)

 

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part I

Posted in Privacy & Security, Sensitive Health Information

By Michael J. Kline and Elizabeth Litten

The November 2014 ruling in the Connecticut Supreme Court in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014, WL 5507439 (2014) (the “Byrne case”) has been discussed in a number of posts on this blog, including those here and here. The main focus of such posts has been the Byrne case’s recognition of potential use of HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit, even though an individual cannot sue under HIPAA itself. In those earlier blog entries, we observed that the Connecticut case may spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

This blog entry will focus more on facts of the Byrne case and some of their implications for individual health information (“IHI”) privacy in the context of domestic relations – both in the divorce or legal separation context and even in a less confrontational domestic environment. In the divorce or breakup context, consideration should be given to privacy issues of IHI in settlement agreements and divorce decrees. While settlement agreements and divorce decrees often address healthcare and health insurance issues, especially where there are custodial children involved, addressing IHI issues is much less common.

The Byrne Case

We recently co-authored an article entitled “Utilizing HIPAA as a Basis for State Negligence Actions” that was first published in Volume 11 Issue 12 of Data Protection Law & Policy (December 2014). The article, which may be found here, focused more on the facts of the Byrne case than our earlier blog posts and illustrates how IHI issues may infiltrate the break-up of domestic relationships. Among other things, the plaintiff in the Byrne case complained that, upon the end of her five month relationship with an individual (the “Individual”), she instructed the defendant physician practice group (the “Group”), as permitted under the Notice of Privacy Practices (“NPP”) of the Group, not to release her medical records to the Individual. Thereafter, the Group was allegedly served with a subpoena requesting its presence, together with the plaintiff’s medical records, at a court proceeding. The Group apparently did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court, but rather mailed a copy of the plaintiff’s medical file to the court. The Individual later allegedly informed the plaintiff by telephone that he had reviewed the plaintiff’s medical file in the court file.

(Part II of this series on privacy of health information in the domestic relations context will be posted shortly.)

“Digital Quarantine” or Vaccination? What Cybersecurity Experts Can Learn from Health Care

Posted in Health IT, Privacy & Security

Perhaps the health care industry has a cybersecurity solution staring us in the face:  vaccines.  Perhaps we should be trying to vaccinate our data storage systems rather than relying on firewalls to quarantine them.  In an article posted on www.philly.com, Associated Press author Youkyung Lee says cybersecurity defense has traditionally been based “on the idea that computers could be protected by a digital quarantine.” Instead, posits Lee, experts need to focus on neutralizing attackers once they get inside a data system, rather than continuing the often-futile attempt to keep them out of the system.

Sounds like a digital vaccination to me.  According to the Centers for Disease Control, the United States is facing a multi-state measles outbreak associated primarily with unvaccinated individuals, and much has been written about parents who refuse to vaccinate their children and thereby unnecessarily and irresponsibly expose others to risk of infection.  When it comes to protecting the safety and wellbeing of protected health information and personal data maintained in a computer system, perhaps the vaccination approach is the way to go.

I turned to www.vaccines.gov for a quick description of how vaccines work in the human body.  Under “Mounting an Immune Response”, the site describes the skin in a way that makes it sound like a computer system’s firewall – it “provides an imposing barrier to invading microbes.  It is generally penetrable only through cuts or tiny abrasions.”  The digestive and respiratory tracts also work like firewalls, using acids and respiratory reflexes (coughs and sneezes) to destroy or expel invading microbes.  If the invading microbes succeed in crossing the body’s natural firewalls, the body’s immune system will kick in to thwart invading bacteria, viruses and parasites.  That’s where vaccines become helpful:

“Vaccines consist of killed or modified microbes, parts of microbes, or microbial DNA that trick the body into thinking an infection has occurred.  A vaccinated person’s immune system attacks the harmless vaccine and prepares for invasions against the kinds of microbe the vaccine contained.  In this way, the person becomes immunized against the microbe:  if re-exposure to the infectious microbe occurs, the immune system will quickly recognize how to stop the infection.”

The HIPAA Security Rule also seems to reflect a “digital quarantine” or firewall approach when it comes to implementing technical safeguards, describing implementation of access control, authentication procedures, and transmission security. (However, the requirement that covered entities and business associates implement audit controls that “record and examine activity in information systems that contain or use electronic protected health information” sounds a bit like the first step needed to develop an effective vaccine against hackers.)

So, since efforts to thwart hackers by using a “digital quarantine” (Lee’s description) or firewall type of barrier have been about as successful as relying on hand-washing and avoidance of theme parks to thwart measles, let’s hope cyber experts start to focus on developing digital vaccines.  These vaccines could not only train data systems to detect and stop a hacker after it has entered the system and before it can damage, remove, or copy the data, but also perhaps even trap the virus or other hacking mechanism for identification, analysis, and law enforcement purposes.

Welcome to “Fraud Fridays”

Posted in Health IT, New Jersey, Privacy & Security, Security Breach Notification, Sensitive Health Information

This post, written by my colleague Elizabeth Hampton, originally appeared on Garden State Gavel, a new blog focusing on New Jersey litigation topics.


Fraud is on the rise in every industry and the lengths that some people will go to make money by “gaming” the system is both fascinating and alarming.  Look for some of these stories in this regular feature designed to inform you of the latest fraud trends and provide practice tips to safeguard your business from unwelcome intruders.

Steps to Fraud- Proof Your  Professional Practice

Fraud is an increasingly lucrative “ business” that weaves its web of deception through corporations, religious and educational institutions, and the provision of health care. The recent data breaches a la Target and Sony are just some of the more highly publicized examples of the breadth of this problem for businesses and their customers.

But did you know that the healthcare industry tops the charts of data breaches and fraud costs?    In fact, The Economist (31 May, 2014) suggests that healthcare fraud in this country contributes to $272 billion dollars in incremental costs to the system.

Health records are like gold to fraudsters because they often contain financial information, insurance numbers and personal data that can be used to obtain drugs or other benefits.  Converting this information in order to submit false healthcare claims has been a regular practice for some scammers.

As government and private insurers have stepped up their fraud detection models, medical providers likewise need to review their policies and step up their own monitoring to protect their practice from potential data breaches and fraud claims.

Have you considered whether your business is at risk for a data breach? Are you taking steps to “fraud- proof” your health care practice?  Consider the following:

1. Perform a “Check- up.”  Every practice needs one. Conduct a random review of your patient files to ensure that all information is appropriately filed and that the files are complete.  Have your patients completed intake forms? Is there proper documentation of an accident or injury?  How is the health information protected from improper disclosure?

2. Review Protocols. When was the last time you reviewed your policies? Have they been updated to comport with new HIPAA standards? Do you understand what the standards mean for you and your employees?

3. Billing. Make sure that your billing is done correctly and that those who have been entrusted to perform this function are on top of things. Have there been trends in collection? Have insurers rejected claims? Find out why.

4. Employees. Do not assume that your employees are aware of the dire consequences associated with the improper disclosure of health care information.  Educate them and set a high bar for security of this information.

Stay tuned for more fraud stories and ways that you can prevent it from damaging your business.

Basic HIPAA Question for Mobile Health Application Developers: What Are You?

Posted in Health IT, Privacy & Security, Uncategorized

Health-related technology has developed light-years faster than health information privacy and security protection laws and policies, and consumers can find new mobile health applications for a wide range of purposes ranging from diabetes management to mole or rash evaluation to fitness tracking.  Smart mobile app developers wondering when and how HIPAA privacy and security requirements affect their products need to take a step back and ask that most basic of HIPAA questions:  What am I?

The question one that has been posed on this blog in the past, and one worth returning to on a regular basis because the answer is not always obvious, but is critical for HIPAA compliance.

The Secretary of Health and Human Services (HHS) recently released a letter written to U.S. Representative Peter DeFazio regarding development and use of mobile health apps and HIPAA compliance reminding him (and anyone reading the letter) that:

“The first question for any entity … is whether it is a covered entity or a business associate within the meaning of the HIPAA rules.” 

The Secretary then helpfully provides links to the Office for Civil Rights (OCR) website’s “frequently asked questions” tools (see here for examples of “Who are Business Associates” and here for information on Covered Entities) and points out that OCR works closely with the Office of the National Coordinator for Health Information Technology (ONC) developing guidance and tools (a tool specific to mobile device privacy and security is available here) for securing health information technology.   However, there’s no quick and easy way to figure out whether HIPAA applies to a specific mobile health application.  The inquiry must always go back to the beginning:  are you a Business Associate (or subcontractor of a Business Associate) or a Covered Entity?  If not, while there may be other state and federal laws that require you protect individually identifiable information (of which protected health information, or PHI, is a subset), HIPAA does not apply.

Bear in mind that your HIPAA identity will change depending on who is using you and for what purpose.  If you develop a mobile health app allowing an individual to create, receive, maintain or transmit information about herself, it is likely the app is not covered by HIPAA because the individual is not acting as a Business Associate or Covered Entity when using the app.  Even if the individual uses the app to send her PHI to her health care provider, the app most likely will not be subject to HIPAA, just as the patient herself is not subject to HIPAA with respect to information about herself she chooses to share with her provider. However, if you develop the app for use by the health care provider, you very well may be a Business Associate to the Covered Entity health care provider.  In this scenario, if you are providing a service on behalf of the provider that involves your access to PHI (whether sent by the individual patient herself or not), you must comply with HIPAA.

So while the basic “What am I?” question sounds simple, the answer requires consideration of who is downloading and using the mobile health app you create, and the purpose for which it is being used.

Not All Sensitive Health Information is Protected Health Information Under HIPAA

Posted in Sensitive Health Information

Recently our partner Keith R. McMurdy posted an entry on the Fox Rothschild Employee Benefits Legal Blog entitled “HIPAA Medical Privacy Matters: Court Permits ADA Claim to Proceed.”  While the full text of the excellent blog posting can be found here, I thought that a specific HIPAA point in Keith’s posting was well worth emphasizing:  individual sensitive health information (ISHI) and the communication thereof may not constitute protected health information (PHI) that is regulated by HIPAA.

As described in the blog posting, ISHI was provided by the father of a seriously sick child on behalf of and for the child in an e mail he sent to his employer’s CFO.  The employer’s self-insured health plan apparently had received claims approximating $1,000,000 for treatment for the child who was covered under the plan.

Keith points out,

Arguably, Myers’ [the father’s] e-mail did not implicate HIPAA medical privacy concerns because the [i]nformation provided voluntarily by the patient himself or herself (or in this case the parent of a minor patient) is not protected health information (PHI) under HIPAA.   Further, because the CFO knew about the sick child, he was able to review the plan expenses and deduce that the higher costs were associated with that particular dependent.  Even that was not in and of itself a violation of HIPAA medical privacy (assuming his role with the plan was part of the plan’s operation).  So there is no indication that there was an improper use of PHI so as to create a privacy violation under HIPAA.

Among other things, the blog entry highlights the fact that the source of ISHI (in this case the parent of the child who sent the e mail to the CFO), and the circumstances under which the ISHI is shared (in this case by the father to the CFO of the plan sponsor), may materially impact whether the ISHI is PHI that is subject to regulation under HIPAA.

Medicare ACO Claims Data Sharing and Opt-Out, Take 2

Posted in Privacy & Security, Uncategorized

I had an interesting conversation with Mike Barrett, Chairman of the National Association of ACOs, as a result of my January 7th post on the Medicare beneficiary opt-out process described in Medicare Shared Savings Program (“MSSP”) regulations proposed by the Centers for Medicare & Medicaid Services (“CMS”).  My blog post meant to highlight a proposed opt-out process that seems unnecessarily obscure:  Will a Medicare beneficiary know about, find, and navigate the “Medicare & You” website, and then realize:  (1) he or she may be part of an ACO, by virtue of the participation of his or her physician; and (2) he or she has the ability to “opt-out” of having certain Medicare claims information shared with his or her ACO-participating physician?  Really??

But, after speaking with Mike, I realized there was a more important issue to be addressed than the murkiness of the opt-out option:  Should Medicare give the beneficiary attributed to a MSSP ACO an opt-out option in the first place?  Maybe it’s not the obscurity of the opt-out process that I should write about, but whether the opt-out is needed to begin with.

The preamble to the proposed MSSP regulations (Preamble) offers abundant and credible justification for the sharing of beneficiary claims information by a health plan (in this case, Medicare) with an ACO that either is a covered entity itself or is a business associate which has contracted with covered entity health care providers for legitimate “health care operations” purposes.  In fact, the Preamble discussion of “health care operations” and what constitutes the “minimum necessary” data required to engage meaningfully in such activities is helpfully robust and more detailed than what can be found generally in the HIPAA preamble discussion and regulations.  The performance evaluation, quality assessment activities, care coordination activities, and population-based health care improvement activities are, CMS emphasizes in the Preamble, “health care operations” of the MSSP ACOs, and Medicare must give ACOs “appropriate access to a beneficiary’s identifiable claims data” in order to achieve the goals of the MSSP ACO program.

CMS also points out that “HIPAA does not require that beneficiaries be presented with an opportunity to decline claims data sharing before their PHI can be shared,” noting that, under several other CMS initiatives, claims data is shared with providers in the absence of a Medicare beneficiary opt-out option.

Rather than giving Medicare beneficiaries the obscure claims data sharing “opt-out” proposed in the MSSP regulations, perhaps CMS should simply advise all Medicare beneficiaries at the time of eligibility and in other communications (in a prominent place, such as the first page of “Medicare & You”) that certain of their claims information will be shared with their health care providers and, if applicable, the MSSP ACO in which the providers participate.  If the Medicare beneficiary does not want this claims information shared, he or she can “opt-out” by selecting a primary care provider that does not participate in the MSSP ACO or does not submit claims to Medicare.  This is one situation in which the benefits of basic clarity and transparency (in terms of how and when Medicare will share claims data) outweigh the negligible PHI privacy protections of this ACO opt-out.

HIPAA Compliance Trends for 2015

Posted in Articles, HIPAA Business Associates, HIPAA Enforcement

As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year.  While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 issue of Medical Practice Compliance Alert, a synopsis of the article can be found here. As we have previously pointed out, we always enjoy our talks with Marla because she never fails to direct our thinking to new areas.   We look forward to the opportunity for further encounter sessions with her.

While the article discussed a diverse range of topics affecting physician practices, including accountable care organizations (ACOs) and telemedicine, this blog post will focus on HIPAA-related areas.

Even more HIPAA and related enforcement activities can be expected in 2015.

The article observed that providers will not see a reprieve in this area. Breaches of patient and consumer data continue to proliferate; the tremendous publicity that breaches outside of the HIPAA area have received, such as the hacking of Home Depot and Sony, will create more pressure on HHS’ Office for Civil Rights (OCR) to enforce HIPAA breaches.  The article quotes us as saying “It’s [A HIPAA privacy breach is] very personal to people when their health data is filched; it’s creepy.”  

The article also quotes Elizabeth, who warns that practices also should expect increased activity by the Federal Trade Commission in the area of healthcare data breaches through its enforcement of consumer protection laws and from the Food and Drug Administration’s protection of the integrity of medical devices, even though those federal agencies do not have the same comprehensive standards and clear regulations that OCR does to enforce HIPAA.

Additionally, there is likely to be more private litigation using HIPAA compliance as the standard of care, even though HIPAA itself does not give patients the right to sue for violations. The November 2014 ruling in the Connecticut Supreme Court discussed on this blog here and here recognized HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit. Elizabeth and I observed that the Connecticut case will spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

Covered entities and business associates will refine their agreements, all as they come under more scrutiny.

Many practices and their business associates scrambled to sign business associate agreements (BAAs), often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing BAA, September 2014. However, as discussed in the article, covered entities and business associates now are negotiating the language in BAAs and customizing them to their individual needs, such as choice of law and indemnification requirements.

One provision that may become more prevalent in newer BAAs would allow a business associate that deals with large amounts of data — such as a cloud electronic health records vendor — to use covered entity’s de-identified patient data for the business associates’ own uses. An industry is developing around the aggregation of data for purposes such as research or predicting patient outcomes, and some business associates are moving to capitalize on that data and use it or market it to others. According to Elizabeth, covered entities will need to determine whether they want to grant such business associates permission to use the data that way.

Business Associates Can Expect Audits by OCR in 2015.

The activities of business associates also will be under the microscope. The permanent HIPAA audit program, slated to begin in 2015, is expected to audit business associates as well as covered entities. Elizabeth observed that the use of subcontractors by business associates also will be examined more carefully, especially those who use off-shore subcontractors.

Again, to read more, click here and see the full article in the January 5, 2015 issue of Medical Care Compliance Alert.

New NJ Standard More Stringent than HIPAA

Posted in New Jersey

New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey.  Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person).  “Personal information” requiring encryption includes an individual’s first name or first initial and last name when linked with any one or more of the following data elements:

*          Social security number

*          Driver’s license number or State identification card number

*          Address

OR

*          Individually identifiable health information as defined under HIPAA

Notably, the encryption requirement applies only to “end user computer systems” and “computerized records transmitted across public networks”, as those terms are defined in the law.  “End user computer systems” are defined as computer systems “designed to allow end users to access computerized information, computer software, computer programs, or computer networks” and include “desktop computers, laptop computers, tables or other mobile devices, or removable media.”

The law is more stringent than HIPAA not only because it requires encryption, but because it applies to personal data that is more rudimentary than the type of data that constitutes protected health information (PHI) under HIPAA.  For example, under the new law, if a health insurance carrier compiles or maintains a computerized record that contains an individual’s first initial, last name, and address (and this information is not publicly available in a directory listing to which the individual has consented, which effectively excludes the information from the law’s definition of a “record”), the encryption requirement would apply even if the individual is not covered (insured) by the carrier.  A health insurance carrier subject to this new law that is building a mailing list of prospective customers or otherwise collecting information about individuals who are not plan members or insureds will need to make sure its encryption capabilities encompass not only existing or future members’ PHI, but any and all “personal information” that is compiled or maintained.