I failed in my last privacy post to mention what was happening in Massachusetts on protecting the privacy of personal credit card and financial information. There’s a bill in the state legislature there that would punish retailers when hackers or thieves get into their system and steal customer information. Under the proposed statute, retailers would be liable for the fraud-related losses and other specified costs of their customers.
Massachusetts regulators are also calling on retailers to start disclosing how well they protect customer credit-card and debit-card data. And in Congress, Barney Frank (D-Mass.) said he plans to craft a bill that would exempt companies from disclosing data breaches, provided they secure the data with encryption software or other technology that would render it virtually unreadable.
Here’s the rub: health care institutions, physician offices and other providers often store this kind of information as well. And they are, in many respects, retail operations. So you’ve got to wonder how they would fare under these kinds of legal requirements. Unfortunately for some small office practices the forces of change may simply be coming on too fast.
The pressure to trim costs and improve quality in health care using new information technology is enormous. Physicians especially are being hit hard and are trying frantically to catch up with Internet Nation. They’re struggling to adopt electronic medical records, submit electronic claims transactions to payers, write electronic prescriptions, share medical information with their colleagues through their local RHIOS, integrate their new mandated National Provider Identifier (courtesy of the federal government) into their systems and transact patient business by email. It’s a hefty investment in time, money and personal energy.
And since no good deed goes unpunished, you can now add to this electronic avalanche a new legal liability to their already immense risk of litigation.
