HHS urged to rework data breach notification rule

A member of the Health and Human Services Department's health IT policy committee is urging the agency to revise what she argues is an overly broad and unreliable provision of an otherwise solid interim final rule on data breach notification. The Center for Democracy and Technology's Deven McGraw voiced her concern with reporters earlier this week ahead of a Friday meeting of the health IT policy panel. The HHS rule, which is set to take effect Sept. 24, sets data security standards that the agency believes are strong enough to eliminate the need to notify consumers of a data breach -- but its so-called "harm standard" is sub-par, she said.

The interim final rule, which was issued last month, states that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to individual." In the event of a breach, the rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities never have to tell their patients that their sensitive health information was breached.

The language was not handed down as part of the $19 billion health IT section of the economic stimulus package and was expressly rejected by House staffers who helped craft the measure, McGraw said. She noted its inclusion by HHS is likely the result of lobbying on the part of the healthcare industry. CDT and its allies favor the approach taken by the Federal Trade Commission in its own data breach mandate, which takes effect the same day as the HHS rule. The FTC version stipulates that if an individual authorized the discharge of data, its release is not considered a breach.

The FTC's rule also allows for a vendor to engage in a risk analysis and states that if data was never acquired (i.e., officials are fairly certain that nobody saw the material), it does not count as a breach and notification does not have to occur. Both agencies have said they will not enforce the data beach rules for 180 days, during which time McGraw hopes that HHS will go back to the drawing board. Read more on this topic on CDT's blog.