There isn’t much that the ACA hasn’t changed in the healthcare industry, and data security is no exception. Since the bill’s introduction and the opening of the healthcare exchanges, lawmakers on both sides of the aisle have made claims that the bill doesn’t do enough to protect the personal information of healthcare recipients.
Now, a new bill aims to address at least some of those concerns. The Health Exchange Security and Transparency Act of 2014, or HESTA, is a straightforward bill that has already passed the House of Representatives with bipartisan support. How straightforward is it? Here is the text of the bill in its entirety, minus the title:
"Not later than two business days after the discovery of a breach of security of any system maintained by an Exchange established under section 1311 or 1321 of the Patient Protection and Affordable Care Act (42 U.S.C. 18031, 18041) which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed, the Secretary of Health and Human Services shall provide notice of such breach to each such individual."
Overall, the bill seems reasonable. The text of the bill matches many state-level requirements for reporting data breaches, though it does feature a much shorter timeframe of only 48 hours from discovery to notification. For a larger organization that must sift through tens of thousands of records, this could prove to be overly optimistic.
However, the bill does not set any additional requirements for the actual protection of PII or healthcare data. In other words, HIPAA and HITECH are still the norm, and ensuring compliance will continue to be extremely important for companies hoping to work in the new exchange system.
TokenEx’s tokenization and data vaulting services are a simple way to ensure compliance with healthcare regulations. By removing the data from your systems and de-identifying it to meet compliance standards, TokenEx helps companies work inside the regulations set by HIPAA without incurring a huge compliance burden themselves.
Laws like HESTA are a step in the right direction for effective data security and breach reporting, but it’s important to remember that the true burden of data security is keeping data secure in the first place.