Lawmakers Urge Lower Bar for Health IT Data Breach Notification

Chairmen of the House Energy and Commerce Committee and the Ways and Means Committee remind Health and Human Services Secretary Kathleen Sebelius that Congress considered and rejected the very rules that now trigger a health IT data breach notification.

Two key chairmen of U.S. House committees Oct. 1 urged Health and Human Services Secretary Kathleen Sebelius to revise or appeal the agency's controversial "harm standard" that would trigger a personal health record data breach notification.
Under the current rules, for companies that secure health information using encryption or destruction, no breach notification is necessary. For those companies that don't use encryption/destruction to protect the health data of individuals, notification isn't necessary if the breach doesn't rise to the harm standard established in the rules.
According to HHS' harm standard, a data breach does not occur unless the access, use or disclosure poses a "significant risk of financial, reputational or other harm to individual." Covered entities that suffer a data breach are required to perform a risk assessment to determine if the harm standard is met. If the entity decides the harm to an individual is not significant, no notification is required.
"This is not consistent with the Congressional intent," Rep. Henry Waxman, D-Calif., chairman of the Energy and Commerce Committee, and Rep. Charles Rangel, D-N.Y., chairman of the Committee on Ways, wrote to Sebelius.
Waxman and Rangel pointed out the ARRA (American Recovery and Reinvestment Act of 2009) requires health entities to notify individuals if there is an "unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information." In the HHS interim final rules, "compromises" is determined by the harm standard.
"ARRA's statutory language does not imply a harm standard," the lawmakers wrote. "Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given breaching entities, particularly with regard to determining something as substantive as harm from the releases of sensitive and personal health information."
Like retailers before them, the health care industry has resisted data breach notifications and has latched upon harm standards to avoid broader notifications. HHS said it included a harm standard in its rules to avoid patients receiving unnecessary breach notices that could cause undue panic.
"Members reported and passed legislation that has a black and white standard for notification with a safe harbor for information that is rendered unusable, unreadable or indecipherable to unauthorized individuals," the letter states. "Such transparency allows the consumer to judge the quality of a health care entity's privacy protection based on how many breaches occur, enabling them to choose entities with better privacy practices."
The rules are being implemented as part of the HITECH (Health Information Technology for Economic and Clinical Health) Act, which, in turn, was part of ARRA passed earlier this year by Congress.