PRISM Privacy Issues Translate Into HIPAA Liability Risks

When Google, Apple, and other major players deny cooperating with the federal government and allowing access to their computers for PRISM’s massive data surveillance program, healthcare providers and business associates should not be re-assured. Either these players are issuing denials to cover their backsides, or they are admitting that the government is able to breach all of their security to sift their data on a 24/7 basis without them ever catching on.

If Uncle Sam can do it, so can the Chinese and perhaps the Russian Mafia. Uncle Sam has admitted to sharing the data with at least one foreign country (presumably Britain) in what some people are calling a “you spy on my citizens, I will spy on yours” arrangement to give plausible denial to both countries. How many times data gets leaked remains to be seen. The disclosure of PRISM has already prompted a movement in the EU to revoke the “safe harbor” exception for the US and US companies for EU privacy compliance regulations because the US cannot guarantee minimum security standards for data.

For those with HIPAA responsibilities, this raises a huge red flag about the security of the internet and of the “Cloud” for storing confidential patient data.

Computer security experts are already predicting that the exponential growth of the cloud may hit a brick wall when companies realize that the cloud is not as secure as it is held out to be. Many electronic medical records use cloud hosting or storage, leaving security in doubt.

So, will encrypting data in use, in motion, and at rest solve the problem? Certainly, encryption is a start, but if PRISM and other programs — be assured there are probably multiple programs doing different things to scarf up data that we do not know about (plausible denial, again) — are capable of reading everything, does that mean even encrypted data? And, given that certain words or patterns trigger “deeper dives” in the surveillance parlance, would effective encryption put a red flag on your operation? We don’t know yet…and maybe never will.

Some people will be tempted to say that it is “only the government” and that privacy doesn’t really matter anyway. HIPAA says privacy matters, and that the covered entity and business associates are liable for data breach response costs, fines, and possible jail time for breaches. States and common law liability puts the covered entity and business associate at risk for civil liability.
If the industry cannot rely on these major providers to assure us of actual secure and private online operations, then covered entities and business associates are taking a huge risk putting their HIPAA data in the care of these players.

Telling lies, plausible denial, or totally inadequate security — you can call it whatever you want, but it still says HIPAA covered entities and business associates should keep their data off the internet and out of the cloud.

1 thought on “PRISM Privacy Issues Translate Into HIPAA Liability Risks”

  1. By locating the best MDM data cleansing program will be able to remedy
    this well-entrenched problem by data compliance regulations standardising your
    data formats. You have the responsibility to maintain your company’s digital environment, with the right tools you can now also have the control
    to assure compliance and protect your company’s assets.
    If someone intentionally or unintentionally manages to gain access to them, it will enable
    them to be HIPAA data compliance regulations compliant.

    Also visit my blog post; pci database

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.