Eye on Privacy: 4 Things All Marketers Need to Know About HIPAA/HITECH
If you aren't a part of the healthcare industry, you may be only vaguely familiar with these laws. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, and the Privacy and Security Rules that resulted from this law, covering Protected Health Information (PHI), have been in place since 2003. Health Information Technology for Economic and Clinical Health (HITECH) was passed in 2009 and the final rules are expected early this year. But, if you aren't in healthcare, why should you care?
First, the new HITECH final rules may apply to you, whether you realize it or not. Since 2003, companies doing business with those covered by HIPAA (Covered Entities) have been known as business associates and bear certain responsibilities under the law. HITECH takes the business associate concept even further by assigning specific responsibility and accountability to previously defined business associates, and casting a wider net by including subcontractors as having legally enforceable responsibilities.
Even if your company isn't covered under HIPAA/HITECH, there are lessons here for all of us. HIPAA/HITECH is the most recent federal law to address privacy and security and it probably holds some clues about what we can expect from broader legislation based on the Commerce Department's Consumer Privacy Bill of Rights.
• Protected Data: HIPAA/HITECH specifically defines PHI and expects it to be used only in the context under which it was collected. This lines up with the principles of individual control, transparency and respect for context. Consumers can feel safe providing information because they understand why the data is being collected and the limited context in which it will be used. Consumers have control over whether they allow their data to be used outside this context.
• Specific Security Standards: HITECH sets specific requirements for data encryption, transfer and destruction. These are based on National Institute of Standards and Technology standards. One would expect to see the same type of standards used in the security principles from commerce. These HITECH standards also align with the focused collection principle in the area of data destruction.