Objective Standards Needed for Evaluating Information Breaches

HITECH Breach Notification for Unsecured Protected Health Information Rulemaking
October 23, 2009 | Collaborative Comment
Markle Foundation, Center for Democracy and Technology (CDT), Collaborators

Markle Connecting for Health and the Center for Democracy and Technology submit comments to HHS on the need for objective standards for judging whether a data breach presents significant risk.


Markle’s Connecting for Health Initiative has since 2002 brought together leading government, industry, and health care experts to accelerate the development of a health information-sharing environment to improve the quality and cost-effectiveness of health care, while protecting privacy. The Center for Democracy and Technology (CDT), through its Health Privacy Project, promotes comprehensive privacy and security policies to protect health data as information technology is increasingly used to support the exchange of health information. Markle, and CDT, along with those listed at the end of this letter, submit these comments in response to the interim final rule (IFR) establishing requirements for notification of breaches of unsecured protected health information and request for comments issued by the Department of Health and Human Services (HHS) under the American Recovery and Reinvestment Act of 2009 (ARRA).1

The HHS IFR, which applies to entities covered by the Privacy and Security Rules of the Health Information Portability and Accountability Act (HIPAA), was issued at around the same time the Federal Trade Commission (FTC) issued its final rule2 governing breach notification for personal health record (PHR) vendors and related entities that are not HIPAA-covered entities (collectively referred to as PHR vendors).3 Because there is overlap between these two sets of standards, we have taken the FTC’s final rule into account in formulating these comments on HHS’ IFR. We also address HHS’ clarification of guidance, issued contemporaneously with its IFR, which specifies the secure technologies and methodologies that when utilized by HIPAA-covered entities or PHR vendors provide a safe harbor from the ARRA’s breach notification requirements.

Our comments are based on a few core principles:

  • A comprehensive framework of privacy protections, including greater transparency regarding uses and disclosures of personal health data, is crucial to consumer trust in health information technology and health information exchange.
  • Requiring that individuals and government authorities be notified in the event of a breach of personal health information promotes transparency and acknowledges concerns that individuals have when their health data are inappropriately accessed or disclosed.  Breach notification requirements are part of a strategy to help health care organizations develop and implement policies and technologies that better protect health data.
  • Policies and standards for breach notification should be set in a way that promotes these important goals while also avoiding over-notification for inconsequential breaches. 
  • It is essential to have a consistent and consumer-oriented approach to privacy and security policies for personal health records or systems (PHRs) in order to avoid confusing and potentially harmful policies for this emerging set of tools for enabling consumers to manage and use their health information to improve their care.

__________

  1. HHS, Breach Notification for Unsecured Protected Health Information; Interim Final Rule, Federal Register, Vol. 74, No. 163, pp. 42740 – 42770, August 24, 2009 (HHS IFR or IFR).
  2. FTC, Health Breach Notification Final Rule, Federal Register, Vol. 74, No.163, pp. 42962 – 42984, August 25, 2009 (FTC Final Rule).
  3. The FTC rule requires ‘‘vendors of personal health records’’ and ‘‘PHR related entities, to notify their customers of any breach of unsecured, individually identifiable health information. ARRA expressly excludes from the definition of “vendors of personal health records” entities covered by the HIPAA Privacy Rule. American Recovery and Reinvestment Act of 2009, P.L. 111-5 (ARRA), § 13400(3) and (18).