Yes the recovery act has stuff on Health care privacy in it. In HIPAADTCGenomics may not be covered, but I think in HITECH they are.
Why have I been reading this stuff? Because it's my job.
According to HITECH
H.R.1 150 Title XIII (HITECH)
For the purposes of compliance with privacy and security regulations, a "covered entity" and its "business associate" are equally liable as if each were itself was a covered entity.
Which means if I send a DTC genomic test off with a doctor's order, AKA Illumina, a breach in that data due to the lab or interpretive business associate THEY are just as liable as the physician.
This means that DTC Genomic tests ordered by physicians fall into a completely more risky category than those ordered by Joe Blow.
This one risk may be why DTC is dying not to make these tests gatekeeper specific. Once these tests become gatekeeper specific, DTC will
A. No longer be DTC
B. No longer be free of HITECH and HIPAA
Which means a big 'ol nightmare for these companies as they want to emphasize the social networking part. You see, social networks have always balanced growth versus security and the same is true for any Internet Technology.
But let's say this is just one rogue hacker who has decided to hack a genome record ordered by a physician.......Via say a hacked email or website........
Sec. 1320d-6. Wrongful disclosure of individually identifiable health information (a) Offense A person who knowingly and in violation of this part-- (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section. (b) Penalties A person described in subsection (a) of this section shall-- (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
So let's say someone hacked a record to get the one up on you, maybe you are a political candidate or maybe a business competitor, or maybe they want to sue you.......
If this rogue hacker performs an act of this on genomic information ordered by a doctor or that can be defined as PHI, these are the penalties. If it is not considered PHI, it is a far lesser offense.......
So the question is, do you want these protections if you are a customer/patient? I would say Hell Yeah.
But do you want them as a covered entity? Uhhhhh.....Ahem.......Well........
As a doctor we have to follow these. Why shouldn't anyone else who has been given the responsibility of handling human samples?
The Sherpa Says: As a consumer HITECH is great. But as a start up company it can prove to be a nightmare. But those who have to risk the most are the huge companies making millions of dollars....can you say class action lawsuit for millions? I know a few lawyers who would be interested in that! I wonder if the DTCGenomics investors thought of that