HHS Breach Notification Rules Again Under Fire

The Center for Democracy and Technology is the latest to find fault with the Department of Health and Human Services' data breach rules for personal health records. Under the current interim rules health care organizations that use encryption or destruction, no breach notification is necessary, but for those who don't, the health organization makes the call on whether the breach is harmful enough to trigger a breach notification.

The Department of Health and Human Services should replace its controversial harm standard for triggering a personal health record data breach notification with a risk assessment approach that requires organizations to determine whether the data was actually viewed or acquired by an unauthorized person, according to the Center for Democracy and Technology.

Under the current rules, companies that secure health information using encryption or destruction, no breach notification is necessary. For those companies that don't use encryption/destruction to protect the health data of individuals, notification isn't necessary if the breach doesn't rise to the harm standard established in the rules.
According to HHS' harm standard, a data breach does not occur unless the access, use or disclosure poses a "significant risk of financial, reputational or other harm to individual." Covered entities that suffer a data breach are required to perform a risk assessment to determine if the harm standard is met. If the entity decides the harm to an individual is not significant, no notification is required.

"The rules adopted by HHS give too much discretion to health care organizations when deciding if a breach of personal health information is serious," Deven McGraw, the CDT's Health Privacy Project director, said in a statement. "The rules give health care organizations discretion to make a value judgment on whether consumers would be harmed by a breach. This approach undermines the intent of the law, which is to provide information to consumers when their information is at risk."

The CDT wants the standard to be revised to include transparency for consumers and incentives for health care organizations to use strong policies and privacy enhancing technologies, such as encryption, to protect data. However, the CDT contends, the standard shouldn't be so strict that consumers and health care organizations are burdened with notifications for every minor infraction.

The rules are being implemented as part of the HITECH (Health Information Technology for Economic and Clinical Health) Act which, in turn, was part of the Recovery Act passed earlier this year by Congress.

Like retailers before them, the health care industry has resisted data breach notifications and has latched upon harm standards to avoid broader notifications. HHS said it included a harm standard in its rules to avoid patients receiving unnecessary breach notices that could cause undue panic.

Earlier this month, two key chairmen of U.S. House committees urged HHS Secretary Kathleen Sebelius to revise or appeal the agency's harm standard.

"This is not consistent with the Congressional intent," Rep. Henry Waxman (D-CA), chairman of the Energy and Commerce Committee, and Rep. Charles Rangel (D-NY), chairman of the Committee on Ways, wrote to Sebelius.

Waxman and Rangel pointed out the Recovery Act requires health entities to notify individuals if there is an "unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information." In the HHS interim final rules, "compromises" is determined by the harm standard.

"ARRA's statutory language does not imply a harm standard," the lawmakers wrote. "Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given breaching entities, particularly with regard to determining something as substantive as harm from the releases of sensitive and personal health information."