Products & Releases

New HIPAA Privacy and Security Enforcement Laws Favor Smart Card Use In Healthcare

Changes in the new law include a data breach notification requirement if 500 or more personal health records are compromised
8th Annual Smart Cards in Government Conference, Washington, DC, November 3, 2009 " New enforcement laws gave HIPAA privacy and security regulations a big boost under the American Recovery and Reinvestment Act of 2009 (ARRA), and also extended HIPAA regulations to more businesses, attendees learned at the 8th Annual Smart Cards in Government Conference. With the Obama administration and Congress showing they are serious about protecting an individual's healthcare information, identity and authentication solutions based on smart card technology become a much more attractive proposition for healthcare companies charged with protecting the security of personal health records.

Lisa Gallagher, senior director, privacy and security for HIMSS, explained provisions of the new law and provided attendees with an update on the implications. Some of the most important changes are in enforcement of the HIPAA privacy and security requirements, because Congress came to believe the lack of consequences for noncompliance reduced focus on the issue. "Whether or not that's true, that is the perception of Congress based on the feedback they were getting from patients and patient advocates," said Gallagher.

Congress did a couple of things they thought would help change that. "First of all, they clarified that criminal penalties under HIPAA could be applied to individuals," Gallagher said, overriding an earlier Justice Department memo that had taken the opposite position and caused confusion. In addition, the new statute details a tiered system of civil monetary penalties and mandates periodic compliance audits. States' Attorneys General also have the right to bring lawsuits if they feel their citizens' rights have been violated in some way.

There are other significant changes in the new law, including a data breach notification requirement, which requires notifying individuals and media if 500 or more personal health records are compromised. ARRA extends HIPAA requirements to Personal Health Record (PHR) vendors, Gallagher said. There are also clarifications, such as the standards for accounting disclosures. Individuals can request copies of personal health records, called accounting disclosures in the law, and organizations are responsible for providing three years of records back from the date of the request. If the records are stored in electronic format, individuals now have the right to request an electronic copy. The Department of Health and Human Services (HHS) Office of the National Coordinator (ONC) is developing the standards for accounting disclosures. That document draft will be delivered after the first of the year to the HHS Office for Civil Rights, the organization that will do the actual rulemaking. The goal is to have the rules available by June 30, 2010.

Two important anniversary dates are coming up quickly according to Ed Jones, founding partner of The first is February 17, 2010, the first anniversary of the ARRA. By this date, covered entities must put in place compliance documentation for the HIPAA security rule, which applies to employees who touch protected healthcare information one way or another. Jones estimates this applies to between 55 and 60 percent of the approximately 15 million people working in the healthcare industry. The second important date is February 22, 2010, when the government will start enforcing the data breach notification law. A breach is defined as an event that compromises the privacy or security of protected health information and poses a significant financial, reputation or other risk to the affected individual.

With the federal government's new vision of enforcement and compliance, smart card technology for healthcare identity management takes on a new level of importance. Smart cards provide a proven way to uniquely and securely authenticate an individual across the entire national healthcare system, including over the Internet. They protect security and privacy by giving individuals control over access to their personal records. For enterprises, smart cards can be used by employees who need to access healthcare records, providing high levels of security and a non-repudiable record of who accesses information and when, to aid in compliance with healthcare information protection laws.

The Smart Card Alliance Healthcare Council has prepared briefs and white papers that explain how smart card technology can enhance the privacy and security of personal health records, and also provide a solid foundation of identity for healthcare information systems. For more information please visit

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading