The Center for Democracy and Technology is the latest to find fault with the Department of Health and Human Services' data breach rules for personal health records. Under the current interim rules health care organizations that use encryption or destruction, no breach notification is necessary, but for those who don't, the health organization makes the call on whether the breach is harmful enough to trigger a breach notification.
The Department of Health and Human Services should replace its
controversial harm standard for triggering a personal health record
data breach notification with a risk assessment approach that requires
organizations to determine whether the data was actually viewed or
acquired by an unauthorized person, according to the Center for
Democracy and Technology.
Under the current rules, companies that secure health information using encryption or
destruction, no breach notification is necessary. For those companies
that don't use encryption/destruction to protect the health data of
individuals, notification isn't necessary if the breach doesn't rise to
the harm standard established in the rules.
HHS' harm standard, a data breach does not occur unless the access, use
or disclosure poses a "significant risk of financial, reputational or
other harm to
individual." Covered entities that suffer a data breach are required to
perform a risk assessment to determine if the harm standard
is met. If the entity decides the harm to an individual is not
significant, no notification is required.
rules adopted by HHS give too much discretion to health care
organizations when deciding if a breach of personal health information
is serious," Deven McGraw, the CDT's Health Privacy Project director, said in a statement. "The rules give health
care organizations discretion to make a value judgment on whether
consumers would be harmed by a breach. This approach
undermines the intent of the law, which is to provide information to
consumers when their information is at risk."
The CDT wants the standard to be
revised to include transparency for consumers and incentives for health
care organizations to use strong policies and privacy enhancing
technologies, such as encryption, to protect data. However, the CDT contends, the
standard shouldn't be so strict that consumers and health care
organizations are burdened with notifications for every minor
rules are being implemented as part of the HITECH (Health
Information Technology for Economic and Clinical Health) Act which, in
turn, was part of the Recovery Act
passed earlier this year by Congress.
retailers before them, the health care industry has resisted data
breach notifications and has latched upon harm standards to avoid
broader notifications. HHS said it included a harm standard in its
rules to avoid patients receiving unnecessary breach notices that could
cause undue panic.
Earlier this month, two key chairmen of U.S. House committees urged HHS Secretary Kathleen
Sebelius to revise or appeal the agency's harm standard.
"This is not consistent with the Congressional intent," Rep. Henry
Waxman (D-CA), chairman of the Energy and Commerce Committee, and Rep.
Charles Rangel (D-NY), chairman of the Committee on Ways, wrote to
Waxman and Rangel pointed out the Recovery Act requires health entities to
notify individuals if there is an "unauthorized acquisition, access,
use or disclosure of protected health information which compromises the
security or privacy of such information." In the HHS interim final
rules, "compromises" is determined by the harm standard.
statutory language does not imply a harm standard," the lawmakers
wrote. "Committee members specifically considered and rejected such a
standard due to concerns over the breadth of discretion that would be
given breaching entities, particularly with regard to determining
something as substantive as harm from the releases of sensitive and
personal health information."