Late last month, the U.S. Department of Health and Human Services (HHS) issued an interim final rule requiring health care organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations to notify individuals whose information has been breached. But privacy advocates contest a “harm threshold” provision of the interim final rule, which states that if a breach occurs, organizations should conduct a risk assessment and only need to issue breach notifications if they believe disclosure of the information “poses some harm to the individual.”
Privacy advocates told SCMagazineUS.com on Tuesday that they believe the HHS added this provision in response to overwhelming pressure from the health care industry.
“The key problem is, those who breach your information are the ones who get to decide if you are harmed or not,” Deborah Peel, founder and chairwoman of the nonprofit Patient Privacy Rights, told SCMagazineUS.com on Tuesday.
The American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama in February, required the HHS to create the health care data breach notification rule. Critics, however, argue that the harm threshold violates what Congress initially intended.
Harley Geiger, legal counsel at the Center for Democracy and Technology (CDT), told SCMagazineUS.com on Tuesday that Congress intended for the federal rule to incentivize proactive data protection measures, such as encryption. For example, if the data involved in a breach is rendered unusable by encryption, companies do not have to issue breach notifications, the interim final rule states.
But the harm threshold “cripples” any incentive to protect data, Geiger said.
“Ultimately this weakens patient privacy and the transparency of health care companies,” Geiger said.
In addition, Peel said she believes the harm threshold is “absurd” because Congress did not include any such provision in the initial ARRA bill.
“It's shocking to see that the federal agency charged with protecting the public [HHS] is instead protecting private corporations against the embarrassment and bad press that would occur if they aren't protecting our health records,” Peel said.
The HHS noted that it intended to align the federal rule with state health care data breach notification laws, avoiding unnecessary panic and preventing individuals from being “flooded with notifications for breaches that pose no threat,” as the interim final rule puts it.
"To determine if an impermissible use or disclosure of protected health information constitutes a breach, covered entities and business associates will need to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure," the interim final rule states.
One situation identified as posing less of a risk is if information was exposed to another organization that is also governed by HIPAA. In addition, if a laptop was lost or stolen, but then recovered, and a subsequent forensic analysis determined that the information was not tampered with, the breach would pose a low-risk, the interim final rule states.
A spokesperson from the Office for Civil Rights at the HHS told SCMagazineUS.com in an email Tuesday that the HHS cannot respond to any criticisms about the rule because it is still open for public review and feedback. Individuals are encouraged to provide comments on the rule through Oct. 23. It is possible that, based on the comments it receives, the HHS will change the rule before its first scheduled annual update in April 2010, the agency said.