HHS Data Breach Notification Harm Threshold Requires Risk Assessment

Lora Bentley

When the HITECH Act portion of the American Recovery and Reinvestment Act became effective in late September, IT Business Edge blogger Mike Vizard argued that the HITECH Act has a big loophole that allows an organization that suffers a breach to skip the notification requirements if it can determine that the breach did not harm anyone.

 

Vizard's not the only one raising such issues. The Center for Democracy and Technology asked similar questions after the Department of Health and Human Services issued its interim final rules. Staff counsel Harley Geiger said:

The primary purpose for mandatory breach notification is to provide incentives for health care companies to protect data....However, the harm standard institutionalized in HHS' interim final rule cripples this crucial incentive. For breach notification purposes, it no longer matters whether health care companies protect data via encryption so long as the companies decide that the breach poses no significant risk of harm to the patient.


Here's the thing, though: The companies bear the burden of proving that there's no significant risk of harm. It's not like they can just decide, "Oh, it's not going to hurt anyone. Who needs to know?" They have to demonstrate why the breach does not pose a risk to the individuals whose information was compromised.


Information Law Group founding partner Tanya Forsheit explains further:

Risk assessments must be fact-specific inquiries. A risk assessment performed pursuant to the Rule should determine who impermissibly used the information and/or to whom the information was impermissibly disclosed, and should address the type and amount of PHI involved in the impermissible use or disclosure.


Add Comment      Leave a comment on this blog post
Oct 12, 2009 6:16 AM HLGCDT HLGCDT  says:

Your characterization of the duty of a health care entity to prove whether there was a risk of harm is not entirely accurate.

Although a breaching company is required to document its risk assessment, the company is not required to prove anything unless HHS requests that it does so.

If a company decides its breach does not meet the harm threshold, it does not even have to report the breach to HHS.

HHS has historically had an abysmal record of enforcing the HIPAA Privacy and Security Rules.

It is therefore highly unlikely that HHS will ask a breaching company to prove anything unless a patient complains.

But if patients are never notified of a breach, who will complain?

Under the current harm standard, health care companies have been given a huge amount of discretion on whether to notify patients that their sensitive health data was breached.

Congress did not intend to give health care companies that degree of discretion.

On Oct. 1st, Reps. Henry Waxman (Energy & Commerce Chairman) and Charles Rangel (Ways & Means Chairman), who were the principal drafters of the underlying legislation, sent a letter to HHS Sec. Sebelius urging HHS to revise or repeal the harm standard provisions included in the breach notification interim final rule.

The letter stated:

-   "[The harm standard] is not consistent with Congressional intent."

-   "[The] statutory language does not imply a harm standard. In drafting , Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information."

-   "We urge HHS to revise or repeal the harm standard provision included in its interim final rule at the soonest appropriate opportunity."

The full letter can be found here:

http://energycommerce.house.gov/Press_111/20091001/sebelius_letter.pdf

Reply
Oct 12, 2009 11:33 AM HLGCDT HLGCDT  says:

Your description of what the notification rule requires is incomplete.

It is true that companies must document their rationale for determining a breach does not pose a significant risk of harm to an individual.

However, that documentation stays with the company, only to be retrieved if HHS asks for it.

HHS has historically had an abysmal record in enforcing the Privacy and Security rules, and  patients can hardly complain if they are never notified of a breach.

In fact, if companies decide a breach doesn't meet the harm threshold, they don't even have to report the breach to HHS.

Therefore, HHS is unlikely to ask companies to prove anything in the vast majority of cases.

Under the current harm standard, health care companies have a huge amount of discretion in deciding whether a data breach could cause harm to individuals.

What is sensitive to one patient may not be to another, yet the harm standard permits health care companies to make a subjective determination on behalf of individuals as to whether the breached data is sensitive or not.

This is not what Congress intended when it wrote the law.

In fact, the Congressmen who wrote the law recently sent a letter to HHS Secretary Sebelius, in which they stated

-   "[The] statutory language does not imply a harm standard. In drafting , Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information."

-   "We urge HHS to revise or repeal the harm standard provision included in its interim final rule at the soonest appropriate opportunity."

The full letter can be found here:

http://energycommerce.house.gov/Press_111/20091001/sebelius_letter.pdf

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.