Especially after the COVID-19 pandemic, healthcare organizations are facing increased pressure on how to share their patients’ health information to promote better patient outcomes. At the same time, organizations need to think of cyber programs to protect their patients and customers as they are the target of cyber attackers trying to access their data.
Get the latest information on state-specific policies for the healthcare industry delivered to your inbox.
According to Forbes, from 2020 to 2021, the weekly average of cyberattacks against healthcare facilities increased by 71%. Recently in Michigan, the nation’s largest family-owned prosthetic provider, Wright & Filippis, have issued a data breach notice to current patients, former patients and employees because they were victims of a cybersecurity attack that occurred in January 2022.
The cyberattack did not gain access to medical records, but the attackers may have gained access to Wright & Filippis records of their current patients, former patients, and employees, which include names, dates of birth, patient numbers, numbers social security, financial account numbers and health insurance information.
Family businesses are not the only victims of cyberattacks—data breaches have occurred across the state of Michigan. Last October, Michigan Medicine exposed health care information for more than 34,000 people, which “contained identifiable patient information such as names, medical record numbers, addresses, date of birth and other information relating to health and insurance”. In August, the Michigan law firm, Warner Norcross and Judd LLPsent notification letters to 255,160 people about a security breach, which contained personal and protected health information about people within their system.
In 1996, President Clinton signed the Health Insurance Portability and Accountability Act (HIPPA), which created a national standard to protect sensitive patient health information from disclosure without the patient’s consent or knowledge.
Government privacy laws vary from state to state. For example, the Seyfarth Healthcare Group conducted a survey of the 50 states and their privacy laws, which violated each state’s privacy laws. The survey shows which states have expanded or further defined protected health information, protected covered entities, security obligations, and what constitutes a violation or unlawful disclosure.
Currently, for Michigan, for what constitutes a violation or unlawful disclosure or rules governing business associates, Michigan does not have additional protections beyond HIPAA. The notable policy regarding Michigan’s HIPPA was the Access to Medical Records Actadopted in 2004.
The Medical Records Access Act set out a protocol for the handling of medical records by health care providers, setting a maximum amount of fees that may be charged for copies of personal medical records. It also created a $250 civil penalty for failing to provide notice of a safety breach to patients.
During this legislative session, the Michigan Legislature introduced legislation relating to cyberattacks. October 5e2021, Senator Wayne Schmidt (R) – Presentation of Grand Traverse Senate Bill 672which was immediately referred to the Committee on Energy and Technology.
SB 672 encourages organizations—by creating a shield for protection against tort liability—to establish, implement, and maintain a cybersecurity program. The program would be based on industry standards, size of organization and sensitivity of protected information.
The cybersecurity program should be designed to protect the security and privacy of personal information and anticipated threats or dangers. SB 672 references frameworks such as the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure and HIPAA.
March 9e, 2022, the Michigan Senate passed SB 672 by party lines with a margin of 20 yeses, 17 noes, and 1 member not voting. SB 672 is currently awaiting a hearing at the Michigan House of Representatives Financial Services Committee.
Michigan’s SB 672 is certainly a creative litigation incentive for an organization to develop a cybersecurity program, although it focuses more on protecting the organization from litigation rather than protecting the right of the individual to privacy. One problem is clear: cyberattacks are on the rise, and Michigan policy must keep pace with changing technology to protect the privacy rights of individuals.
#Michigan #Considers #Legislation #Prevent #Cyberattacks #State #Reform