Those who haven’t been following such things closely may wonder if this is truly news (and whether it can be described as “innovative,” as some people covering the issue are calling it). After all, doesn’t HIPAA cover all that stuff? I was in that camp until a couple of weeks ago. It turns out that I had made some assumptions regarding HIPAA.
What set me straight was an article in SmartMoney, which was quite lucid a read. Essentially, it was pointed out that HIPAA applies to “covered entities,” meaning health care?related businesses such as health?care providers, insurers, and health?care billing services. I’m sure there many businesses that would fall under this covered entity status.
There are many companies that aren’t or wouldn’t be, though. For example, Google and Microsoft. These two are trying to get into the personal health records business (there’s lots of controversy, including what Google may do despite their “first, do no evil” creed). However, despite the fact that they’d be handling sensitive medical information, since they’re not covered entities, they wouldn’t have to report to anyone that they had a data breach regarding health records under current HIPAA rules.
That’s not to say that they don’t have something in place for ensuring medical data security. Companies like Google and Microsoft would set up their businesses to be compliant with HIPAA, or to mirror them. But as the SmartMoney article noted, the companies can change these terms any time they want, since they usually reserve the right to change things around—including without prior notification. (I can bear witness to that. I’ve read a lot of on?line fine print).
For mega-titan companies like the above, I don’t worry too much about them not doing the right thing (I can already hear the snickers and snorts). My reasons are quite simple. They’ve got the money to implement good security; offer positive and negative incentives so employees follow proper security practices; and—this is the big one—they’ll be lambasted and sued for muchisimo dinero if they hide an instance of a data breach (whereas, if they alert the public, they’ll be sued for only mucho dinero). But, knowing that they’d be acting illegally by not alerting people is reassuring.
Since the California law is an extension to the original data breach notification law, I’m assuming that the new law also preempts notification if the data was on an encrypted device, such as those protected by AlertBoot.