Healthcare companies also must have updated patient privacy notices in place by the deadline, Maruca said. The notice must specifically state that the covered entity is required to obtain the patient's authorization to use or sell his or her information for marketing or other purposes and to use or disclose psychotherapy notes, Maruca said. Privacy notices will also need to include a description of how an individual can revoke an authorization and explain their right to receive a notification in the event of a data breach, Maruca said.
"I think the readiness level varies considerably," Maruca noted. "Larger health systems and similar organizations with dedicated health privacy officers may be ahead of the curve, and some savvy smaller entities have been very proactive," he said. But "others are dragging their feet. I think it may take a high-profile enforcement ... to get the attention of the smaller players."
Deborah Peel, founder and chairman of the advocacy group Patient Privacy Rights , noted that while the changes are designed to improve patient privacy, several loopholes remain.
Despite the changes, most health data can still be sold, she said. There is also no chain of custody for health data despite the generally strong security and contract requirements for business associates and subcontractors, Peel said.
As a result there is no way for patients "to obtain a complete map or picture of who used your health information or why. Without a complete data map that tracks all flows of data, we have no idea about the harms and misuses, making it impossible to weigh the risks vs. benefits of using," health information technology systems, she noted.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about healthcare IT in Computerworld's Healthcare IT Topic Center.