Michigan considering legislation to prevent cyber attacks

Especially following the COVID-19 pandemic, healthcare organizations face added pressure on how to share their patients’ health information to promote better outcomes for patients. At the same time, organizations need to think of cyber programs to protect their patients and clients because they are being targeted by cyber-attackers trying to access their data.

 

Get the latest state-specific policy intelligence for the health care sector delivered to your inbox.

 

According to Forbes, from 2020 to 2021, the average weekly cyber attacks on healthcare organizations increased by 71%. Recently in Michigan, the nation’s largest family owned provider of prosthetics, Wright & Filippis, issued a notice of data breach to current patients, former patients, and employees because they were a victim of a cybersecurity attack that happened in January 2022.

The cyber attack did not access medical records, but the attackers may have accessed Wright & Filippis’s files from their current patients, former patients, and employees, which include names, dates of birth, patient numbers, social security numbers, financial account numbers, and health insurance information.

Family-owned businesses are not the only victims of cyber-attacksdata breaches have been happening all over the state of Michigan. Last October, Michigan Medicine exposed healthcare information of more than 34,000 people, which “contained identifiable patient information such as names, medical record numbers, addresses, date of birth, and other health and insurance related information.” In August, the Michigan law firm, Warner Norcross and Judd LLP, issued notification letters to 255,160 individuals regarding a security breach, which contained personal and protected health information on individuals within their system.

In 1996, President Clinton signed the Health Insurance Portability and Accountability Act (HIPPA), which created a national standard to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Furthermore, in 2000, the US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule, which contains standards for individuals’ rights to understand and control how their health information is used. “A major goal of the Privacy Rule is to make sure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare, and to protect the public’s health and well-being. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.”

State-specific government privacy laws vary from state to state. For instance, Seyfarth’s Health Care group conducted a survey of all 50 states and their privacy laws, which broke down each state’s privacy laws. The survey shows which states have expanded or further defined protected health information, protected covered entities, security obligations, and what constitute a breach or unlawful disclosure.   

Currently for Michigan, for what constitutes a breach or unlawful disclosure or rules governing business associates, Michigan does not have additional protections on top of HIPAA. Notable policy regarding HIPPA from Michigan was the Medical Records Access Act, which was passed in 2004. 

The Medical Records Access Act defined protocol for healthcare providers’ handling of medical records, establishing a maximum fee amount that could be charged for copies of personal medical records. It also created a civil fine of $250 for failure to provide notice of a security breach to patients.

This legislative session, the Michigan Legislature has introduced legislation addressing cyber security attacks. On October 5th, 2021, Sen. Wayne Schmidt (R) – Grand Traverse introduced Senate Bill 672, which was immediately referred to the committee on energy and technology.

SB 672 encourages organizations—by creating a shield for tort protection—to establish, implement, and maintain a cyber security program. The program would be based on their industry standards, scale of the organization, and the sensitivity of the information being protected. 

The cyber security program would have to be designed to protect the security and confidentiality of personal information and anticipated threats or hazards. SB 672 references frameworks like the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure and HIPAA.

On March 9th, 2022, the Michigan Senate passed SB 672 by party lines with a margin of 20 yeas, 17 nays, and 1 member not voting. SB 672 currently awaits a hearing in the Committee on Financial Services in the Michigan House of Representatives.

Michigan’s SB 672 is certainly a creative litigation incentive to have an organization develop a cyber security program, although it focuses more on shielding the organization from litigation rather than protecting the individual’s right to privacy.  One issue is clear: cyber attacks are on the rise, and Michigan policy needs to keep up with technology to protect the privacy rights of individuals.