On January 13, 2020, Jami Vibbert and Thora Johnson were quoted in Report on Medicare Compliance about inflection points in data privacy and security in healthcare to expect in 2020. According to the article, new state laws take effect in California and New York state that apply both to companies in those states and and to companies that have consumers there, while the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services pushes ahead with its Right-of-Access Initiative.
"What I've seen ramp up at the end of 2019 and will be a big deal in 2020 is a lot of changes in how regulators view data security when it relates to health information," Vibbert says.
The California Consumer Privacy Act (CCPA) also allows patients and other consumers to sue companies privately for breaches, says Johnson. "There will be a more substantial hook for private litigants and state attorneys general to bring action against companies storing medical information," Vibbert adds. It should encourage companies to perform meaningful HIPAA security risk assessments and document them. California also has a new Internet of Things (IoT) law to improve safeguards for medical and other devices that don't store data, such as pacemakers, she says.
Meanwhile, OCR has already brought two right-of-access enforcement actions, Johnson says. "I think there will be a collective conscious culture shift" between HIPAA, CCPA, and other state laws, and the General Data Protection Regulation, Europe's comprehensive data protection and privacy framework, which applies to American companies in certain circumstances," Vibbert notes.
Click here to access the article.