The impact of the patient data privacy and security provisions of the 21st Century Cures Act, signed into law Dec. 13, will depend, in part, on who is chosen to study key issues and come up with recommendations, says attorney Steven Teppler, who has handled health data breach litigation.
For example, the nearly 1,000-page act calls for the creation of a workgroup to study whether HIPAA regulations regarding the use and disclosure of protected health information for research purposes should be modified.
"If what is promulgated as a result of this act winds up being a watered down [privacy or security] requirement, then it will do more harm than good," Teppler says in an interview with Information Security Media Group. "My recommendation is to look at who the interested parties are who come to the table ... and you will see which way the wave will be headed."
Also, with Donald Trump entering the Oval Office in January, "you will probably see a more business-oriented approach in the promulgation of these regulations," he says. "I expect there to be fairly robust debate ... between the factions that are looking to issue the report of the working group."
Another provision of the new law provides for civil monetary penalties up to $1 million per violation against healthcare organizations and vendors that intentionally block permitted health information exchange among healthcare providers.
For larger organizations, Teppler says, "this might be no more than a parking ticket because you're talking about businesses that make hundreds of millions of dollars. You also have to look at the enforcement capability ...."
In the interview (see audio link below photo), Teppler also discusses:
- The privacy and security risks involving patient information used for research, including de-anonymized data;
- The implications of the new law's provisions related to mental health reform;
- The potential need for more government guidance related to the legislation's privacy and security provisions.
Teppler is a partner at the Abbott Law Group in Jacksonville, Fla., where he leads the electronic discovery and technology-related litigation practice. He was also one of the attorneys who represented plaintiffs in a data breach class action lawsuit against health plan AvMed that ended in a $3 million settlement in 2013. Teppler is also an adjunct professor at Nova Southeastern University Law School.