New Health Data Rules Take Effect

Broader protections, but possible loophole concerns critics
September 23, 2009

The first-ever federal data breach notification law, aimed at ensuring patients be informed when their medical data is exposed to an outsider, goes into effect today.

The rule outlines procedures for notifying victims of unauthorized release of their private health data, and provides for criminal and civil penalties in the event of a breach. Compliance is required of entities covered under the Health Insurance Portability and Accountability Act (HIPAA), such as hospitals, doctors and health plans, as well as their associates (such as attorneys, accountants or software consultants).

The new regulation, passed by Congress in February 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, grants an incentive for implementing stronger encryption standards. If a health-care provider maintains its data in encrypted formats rendering sensitive data unreadable or unusable upon release, a data breach notification would not be required.

Harm standard harmful?
The new rule is not without its critics. The incentive for health care companies to better protect their data is “cripple[d]” by the regulation’s “harm standard” for assessing risk, blogged Harley Geiger, staff counsel for privacy advocacy group Center for Democracy and Technology (CDT).
 
After all, it is up to the health care provider to determine whether or not the rule’s harm standard has been met. According to the rule [pdf], a covered entity need only disclose the breach if there is a “significant risk of financial, reputational, or other harm to individuals.”

This despite the fact the breached entity has a “financial and reputational bias against notification,” wrote Geiger. Under this new provision, patients might never find out about the breach, Geiger wrote, “unless, of course, harm actually occurs. But then it is too late.”
Health and Human Services included the harm standard to avoid patients receiving unnecessary breach notices that could cause undue panic, eweek.com reported.

While the harm standard might wind up serving as a sort of loophole, the federal notification law includes several steps in the right direction: Making health care providers and their associates accountable for maintaining patient data privacy, incentivizing encryption, and requiring organizations to explain how breaches happened.

Related newsletter

Medical Identity Theft Goes Prime Time [pdf]


©2003-2010 Identity Theft 911, LLC. All rights reserved.

.
.