Health IT Data Breaches: No Harm, No Foul

By Roy Mark | Posted 2009-09-16

Data breach notification rules for health entities covered by the Health Insurance Portability and Accountability Act take effect Sept. 23. Under the rules issued by the Department of Health and Human Services, (PDF) health care providers and health plans will be required to notify individuals of a breach of their unsecured protected health information. Maybe.

For companies that secure health information using encryption or destruction, no breach notification is necessary. For those companies that don't use encryption or destruction to protect the health data of individuals, notification isn't necessary if the breach doesn't rise to the harm standard established in the rules.

According to HHS' harm standard, the question is whether access, use or disclosure of the data poses a "significant risk of financial, reputational or other harm to [an] individual." Covered entities that suffer a data breach are required to perform a risk assessment to determine if the harm standard has been met. If the entity decides the harm to an individual is not significant, no notification is required.

"For breach notification purposes, it no longer matters whether health care companies protect data via encryption so long as the companies decide that the breach poses no significant risk of harm to the patient," stated a Sept. 11 blog post on the CDT (Center for Democracy and Technology) Website. "This decision is an internal process made by companies with a financial and reputational bias against notification."

The post, by CDT Staff Counsel Harley Geiger, adds, "Now, if a health care company consistently makes an error that it determines carries insignificant risk of harm to the patient, what incentive is there for the company to fix it? They never have to tell anyone unless, of course, harm actually occurs. But then it is too late."

Like retail before it, the health care industry has resisted data breach notifications and has latched upon harm standards to avoid blanket notifications. HHS said it included a harm standard in its rules so that patients wouldn't receive unnecessary breach notices that could cause undue panic.

"The concern over sending too many breach notifications to patients implies that the industry anticipates a high number of breaches. The best way for [the] industry to cut down the number of notifications would be to strengthen their privacy and security practices," Geiger wrote. "Instead, HHS' overbroad harm standard raises the risk that companies' cost and convenience will override patients' interests in transparency and in motivating health care companies to adopt strong privacy and security standards."

The rules are being implemented as part of the HITECH (Health Information Technology for Economic and Clinical Health) Act which, in turn, was part of the American Recovery and Reinvestment Act of 2009 passed earlier this year by Congress.

CDT also complained that HHS gave "no indication whatsoever" that the harm standard was even under consideration in the original Request for Information that morphed into this rule. The rule takes effect on Sept. 23, although HHS won't enforce it for 180 days. HHS also gives the public 60 days to comment on the rule, but the comments won't be addressed until the first annual update to the rule in April 2010.