Why Isn't There A National Security Breach Notification Law?

June 24, 2011
Earlier this month, a parade of healthcare industry representatives and consumer privacy advocates offered testimony at a House panel hearing on

Earlier this month, a parade of healthcare industry representatives and consumer privacy advocates offered testimony at a House panel hearing on bipartisan draft health information technology legislation. One of the topics discussed was the draft legislation's provisions that would impose standardized security breach notification requirements on all HIPAA covered entities and business associates. Marc C. Reed, executive vice president of human resources for Verizon Communications, told the committee that the creation of a single federal data breach notification standard would relieve the burden currently imposed on national companies that must comply with a patchwork of state security breach notification laws.

In advising national companies in responding to security breach incidents, I can attest that among the first things a company must do are (1) identify the states in which the individuals affected by the breach reside; (2) find out if those states have passed security breach notice laws; and (3) determine what the "highest common denominator" is for compliance with all applicable state laws. This process would be simplified and rationalized if there were a federal security breach notification law.

Ever since the landmark ChoicePoint security breach in 2005, competing security breach notification laws have been kicked around on Capitol Hill but (shockingly) nothing has been accomplished. Obstacles to these new laws have included: (1) competition between committees championing their own security breach bills in the House and Senate; (2) deciding on the extent to which existing state security breach laws should be preempted; and (3) differences regarding the appropriate "trigger" for notification.

Consumer privacy groups are largely satisfied with this patchwork approach, which ensures that companies comply with the "highest common denominator." Even some industry representatives are resigned to the status quo. At the RSA conference in San Francisco in April, Mike Zaneis, VP of Public Policy for the Interactive Advertising Bureau, said, "You've got almost comprehensive coverage with state laws so there is not much of an impetus for national legislation. We had a real opportunity three years ago after the ChoicePoint data breach, but we sort of missed the bus a little bit."

Many national companies responding to security breaches and attempting to make sense of more than 40 differing state notification laws continue to feel that there is a strong impetus for national legislation. I, for one, am hoping that Congress will get past its inter-committee skirmishes and craft a sensible federal security breach notification law. To extend Mr. Zaneis' analogy, I would say that the bus hasn't left the station, but is stalled in the garage. Perhaps it just needs a jump-start. Okay, I'm going to stop now ….

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?