Healthcare entities need to identify all their business associates, especially newly covered entities such as data storage companies, and ensure they have proper business associate agreements with them by Sept. 23, said William Maruca, a partner with Fox Rothschild LLP.
Healthcare companies also must have updated patient privacy notices in place by the deadline, Maruca said. The notice must specifically state that the covered entity is required to obtain the patient's authorization to use or sell his or her information for marketing or other purposes and to use or disclose psychotherapy notes, Maruca said. Privacy notices will also need to include a description of how an individual can revoke an authorization and explain their right to receive a notification in the event of a data breach, Maruca said.
"I think the readiness level varies considerably," Maruca noted. "Larger health systems and similar organizations with dedicated health privacy officers may be ahead of the curve, and some savvy smaller entities have been very proactive," he said. But "others are dragging their feet. I think it may take a high-profile enforcement ... to get the attention of the smaller players."
Deborah Peel, founder and chairman of the advocacy group Patient Privacy Rights , noted that while the changes are designed to improve patient privacy, several loopholes remain.
Despite the changes, most health data can still be sold, she said. There is also no chain of custody for health data despite the generally strong security and contract requirements for business associates and subcontractors, Peel said.
As a result there is no way for patients "to obtain a complete map or picture of who used your health information or why. Without a complete data map that tracks all flows of data, we have no idea about the harms and misuses, making it impossible to weigh the risks vs. benefits of using," health information technology systems, she noted.
Sign up for CIO Asia eNewsletters.