Congress Complains
The most important feature of the new breach regulations from a compliance perspective is the risk of harm standard that qualifies the meaning of a “breach” in the HITECH Act and guidance issued by the Secretary on April 17, 2009. (See HITECH Act at § 13400(1)). A breach that “compromises the security or privacy of the [PHI]” is a breach that “poses a significant risk of financial, reputational, or other harm to the individual.” (45 C.F.R. § 164.402) The risk of harm standard requires that a covered entity undertake a risk assessment of the potential harm to the affected individuals, and based upon this assessment; determine in good faith whether it is necessary to notify the individual(s) of the breach.
Generally in the event of a “breach” of “unsecured” PHI, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached. (45 C.F.R. § 164.404(a)(1).) Despite the obvious utility of the new harm standard, a few privacy advocates (and four United States congressmen) have expressed displeasure with the new HHS harm standard. An October 1st letter from congressional leaders sent to HHS Secretary Sebelius argues that the ARRA did not imply a harm standard in the breach notification requirements, and requests that HHS repeal the harm standard that was included in the interim final regulations on Breach Notification for Unsecured Protected Health Information.
For a copy of the letter, sebelius_letter. However, many states use a standard similar to the harm standard under the federal Breach Reporting Rules (including New York,* Michigan and New Jersey). Only six states have a strict acquisition based standard; of those six states, only a couple of these states link the definition of encryption to FIPS 140-2 (Federal Information Processing Standard). The letter was signed by Henry A. Waxman, Chairman of the Committee on Energy and Commerce (Democrat, California); Charles B. Rangel, Chairman of the Committee of Ways and Means (Democrat, New York); John D. Dingell, Chairman Emeritus of the Committee on Energy and Commerce (Democrat, Michigan); and Frank Pallone, Jr., Chairman Subcommittee on Health Committee on Energy and Commerce (Democrat, New Jersey).
*Note I listed New York in error as a risk based/ harm based state. I appreciate the careful attention of harley@cdt.org at blog.cdt.org for his comment. A complete listing of acquisition based states is avaliable at: http://law2point0.com/wordpress/2009/09/15/50-state-security-breach-notice-law/ and this would include both New York and California.
[...] Go here to read the rest: Four Members of Congress Complain to Secretary of HHS About the Harm Standard [...]
It should be noted that the Congressmen who wrote the letter wrote the legislation underlying the notification rule as well.
The letter also stated:
- “[The harm standard] is not consistent with Congressional intent… [The] statutory language does not imply a harm standard. In drafting [the statute], Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.”
Also, I do not think New York has a harm standard, as you state in this article.
Rather, it has an acquisition-based standard.
Please see NY Gen. Bus. Law § 899-aa.
In fact, four of the five most populous states have acquisition-based notification standards, covering more than 30% of the population.
The Federal Trade Commission also has an acquisition-based notification rule for personal health records.
This would be a far more appropriate standard for HHS to adopt: it would reduce unnecessary notifications, align itself with Congressional intent, and preserve incentives for health care companies to protect data.
I agree with the comment in most respects. The intent of the notification rule in the new statute seems clear and the letter from the framers should dispel any confusion regarding that intent. A more inclusive acquisition-based rule would be far more objective and easier to administer and enforce. I do, however, foresee more unnecessary notifications under an acquisition-based rule, not less. This I see as a necessary evil of a more objective and more inclusive system.
hello,
thanks for the great quality of your blog, each time i come here, i’m amazed.
black hattitude.