Consumer group: HHS improperly interpreted PHR security protocols
Consumer advocacy organization Consumer Watchdog issued a letter last week chastising the Department of Health and Human Services (HHS) for its interpretation of security protocols for personal health records (PHRs). The Washington D.C.-based nonprofit organization is seeking to repeal the HHS interpretation and “properly implement what Congress enacted.”
The American Recovery and Reinvestment Act of 2009 (ARRA) requires notification if there is an “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information.” The act charged HHS with writing and implementing the rules. HHS interpreted “compromises the security” of data to include a substantial harm standard.
The Federal Trade Commission (FTC), the letter noted, was charged with writing breach rules for personal health record vendors, such as Google, which are not covered by HIPAA. Consumer Watchdog stated that the FTC did not find justification for introducing a harm standard.
Consumer advocate John M. Simpson wrote that under HHS’ interpretation, “if the breaching entity decides there is no significant risk of financial, reputation or other harm to the individual, the provider or health insurer never has to disclose that the sensitive information was used or disclosed in violation of the federal privacy rule."
Deemed outrageous, Simpson noted that the company responsible for protecting the sensitive data decides if it needs to tell anyone that sensitive health data has been breached.
Explaining their reasoning, U.S. Reps. Henry Waxman, D-Calif., Charles B. Rangel, D-N.Y., John Dingell, D-Mich., Frank Pallone Jr, .D-N.J., Pete Stark, D-Calif., and Joe Barton, R-Texas, wrote: “The primary purpose for mandatory breach notification is to provide incentives for healthcare entities to protect data, such as through strong encryption or destruction methodologies and to allow individuals to assess the level of unauthorized use of disclosure of their information. Such transparency allows the consumer to judge the quality of a healthcare entity’s privacy protection based on how many breaches occur, enabling them to choose entities with better privacy practices.”
“Furthermore, a black and white standard makes implementation and enforcement simpler,” the representatives concluded.
The American Recovery and Reinvestment Act of 2009 (ARRA) requires notification if there is an “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information.” The act charged HHS with writing and implementing the rules. HHS interpreted “compromises the security” of data to include a substantial harm standard.
The Federal Trade Commission (FTC), the letter noted, was charged with writing breach rules for personal health record vendors, such as Google, which are not covered by HIPAA. Consumer Watchdog stated that the FTC did not find justification for introducing a harm standard.
Consumer advocate John M. Simpson wrote that under HHS’ interpretation, “if the breaching entity decides there is no significant risk of financial, reputation or other harm to the individual, the provider or health insurer never has to disclose that the sensitive information was used or disclosed in violation of the federal privacy rule."
Deemed outrageous, Simpson noted that the company responsible for protecting the sensitive data decides if it needs to tell anyone that sensitive health data has been breached.
Explaining their reasoning, U.S. Reps. Henry Waxman, D-Calif., Charles B. Rangel, D-N.Y., John Dingell, D-Mich., Frank Pallone Jr, .D-N.J., Pete Stark, D-Calif., and Joe Barton, R-Texas, wrote: “The primary purpose for mandatory breach notification is to provide incentives for healthcare entities to protect data, such as through strong encryption or destruction methodologies and to allow individuals to assess the level of unauthorized use of disclosure of their information. Such transparency allows the consumer to judge the quality of a healthcare entity’s privacy protection based on how many breaches occur, enabling them to choose entities with better privacy practices.”
“Furthermore, a black and white standard makes implementation and enforcement simpler,” the representatives concluded.