Adding their voices to those of consumer advocates, six powerful members of Congress have written a letter to Kathleen Sebelius, Secretary of the Dept. of Health and Human Services, to express their concern over HHS' interim final rule on health data breach notification published in late August.
The congressmen stating their dismay about the "high bar" set for breach notification are Henry Waxman, chair of the House Committee on Energy and Commerce; Charles Rangel, chairman of Ways and Means; John Dingell, chairman-emeritus of Energy and Commerce; Frank Pallone Jr., chairman of the Subcommittee on Health of the Committee on Energy and Commerce; Pete Stark, chairman of the Subcommittee on Health of Ways and Means; and Joe Barton, ranking member of the Committee on Energy and Commerce.
Basically, HHS has established a harm standard that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to individual." In the event of a breach, HHS' rule requires HIPAA-covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the health providers are not required to tell their patients that their health information was breached.
Those advocating for healthcare providers are thrilled. The American Hospital Association has released a sample letter that hospitals can use to voice their support for retaining the "risk of harm" standard in the final rule on breach notification. "The implementation of a risk of harm trigger in the interim final rule's definition of 'breach' is consistent with the statutory language" of the HITECH Act, which contemplates the need to determine whether there is a risk of harm to an individual from the breach, the letter states.
But the six congressmen don't see it that way. They note that Section 13402 of ARRA requires health care entities to notify individuals if there is an "unauthorized acquisition, access, use, or disclosure of protected health information which comprises the security or privacy of such information." The representatives' letter notes that the interim final rule interprets the term "compromises" to include a substantial harm standard. But they note that ARRA's statutory language does not imply a harm standard. "In drafting Section 13402, Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information."
They said they considered a harm standard when writing the legislation, but it was specifically rejected in favor of a "black and white" standard for notification, with a safe harbor for information that is rendered unreadable or indecipherable to unauthorized individuals.
As Harley Geiger of the Center for Democracy and Technology has pointed out, mandatory breach notification provides incentives for health care companies to protect data. "Breach notification is costly to health care companies, both in financial and reputational terms," he notes. With the interim final rule, HHS gave health care companies the opportunity to avoid notification if they protect data through strong encryption or destruction technology. "However, the harm standard institutionalized in HHS' interim final rule cripples this crucial incentive," Geiger writes. Encrypted or not, if the data is lost, the company can just decide that the breach isn't serious enough to warrant informing the patient. "Although HHS can ask the company for documentation on the breach, HHS is unlikely to do so unless someone complains," he notes, "but if the patient is not notified, who will complain?
I'm sure the idea of notifying patients every time there is a breach is worrying to providers, but as the legislators make clear, the benefits of health IT can only be fully realized with the inclusion of strong safeguards of personal health information. "To gain the public trust," they write, "it is imperative that there is effective implementation of those provisions by HHS."
What do you think is the right balance between patient privacy rights and the impact on business practices of hospitals and other health care entities?