Over the last few years, laws have evolved to cover changing concerns about digital privacy, but there is still a lot of confusion among computer consultants regarding their responsibilities for data protection.
When does data need to be encrypted? When am I liable for data breaches? Knowing the answers to these questions and understanding your legal requirements can mean the difference between growing your business and being crippled by a major lawsuit.
Violation of data breach laws (including HITECH and HIPAA) can result in massive fines and lawsuits – either can cost over a $1 million.
Medical Data Protection under HIPAA and HITECH Regulations
IT consultants who work with doctors, clinics, pharmacists, or anyone who handles medical information need to be familiar with two laws:
- HIPAA (Health Information Portability and Accountability Act of 1996).
- HITECH (Health Information Technology for Economic and Clinical Health Act).
These data privacy acts are sometimes referred to separately, but are basically one set of regulations. HIPAA was enacted, then later expanded by HITECH.
What do they cover? Among other things, these laws require businesses to…
- Give patients access to their protected health information (PHI) within 30 days of receiving a patient request for that information.
- Encrypt all transfer of PHI (e.g., email, video conference, fax, etc.).
- Follow special protocol for disposing of old hardware and hard drives that have PHI.
- Follow HIPAA data breach notification laws and contact affected patients and Health and Human Services within 60 days of a breach incident.
To learn more about these regulations, you can read the government's official 45-page guide to HIPAA and HITECH and check out our blog post “HITECH: The Strictest Data Protection Law.”
One last important thing to know about these laws is that you will be charged a fee for violating them. The fees can be extremely expensive:
- $100 − $50,000 for each violation (up to $1.5 million total) when the violation is accidental or because of non-willful neglect.
- $10,000 or more for each violation (up to $1.5 million total) when the violation is willful.
(Here’s a chart explaining HIPAA and HITECH fines, put together by Indiana University).
Cyber Liability for Data Leaks
If your IT business doesn’t work in the medical industry, but still deals with private data, you need to be aware of various data privacy requirements. Private data includes SSNs, DOBs, and credit card or bank information.
Cyber liability laws vary from one state to the next. Besides HIPAA, there are no federal data breach laws, which means almost every state has set its own requirements for IT professionals.
Depending on the state, after a data breach, computer consultants may have to...
- Inform customers whose data they suspect may have been accessed.
- Report the breach to the state attorney general.
- Inform consumer reporting agencies of the breach.
- Follow certain regulations about the way they contact customers (phone, email, etc.) and how quickly they do so (e.g., many states require contact within 45 days).
These state requirements are complicated by the fact that a client's customers may live in different states and you may have to follow different regulations in the way you contact them.
(We’ve detailed these requirements in our article “What’s Your Data Breach Notification Plan?").
The Takeaway: Know Your Liabilities
With the law always changing to adapt to security concerns about data, IT consultants need to be aware of their legal responsibilities. Following the letter of the law can help you avoid expensive software litigation and protect your clients' data.
For more about insuring your company from the cost of a data breach, talk with one of our agents today.