The Coalition for Patient Privacy urges the Department of Health and Human Services to revise and repeal the interim final rule (IFR) establishing requirements for notification of breaches of unsecured protected health information.
“We are dismayed and disappointed with the IFR, particularly with the inclusion of a ‘harm standard’. HHS went far beyond the intent of Congress. This is a real blow to accountability and transparency,” said Ashley Katz, Executive Director of Patient Privacy Rights, the organization that leads the Coalition.
On October 1, leadership from the House Ways & Means Committee and Energy & Commerce Committee urged HHS Secretary Sebelius to revise or repeal the harm standard.
Under HHS’ interpretation, an entity responsible for a breach may avoid providing notice of a breach if that entity determines there is no “significant risk of financial, reputational or other harm to the individual.” This exclusion weakens the breach notification requirement dramatically, granting the company that would like to avoid the cost and consequences of breach notification the power to decide if they will notify.
There was no mention of any harm standard in HHS’ previous Request for Information, thwarting any opportunity for public debate.
Currently, individuals have higher standards and expectations for our financial data than we do for our health data. With a breach of financial records, a consumer faces a significant headache, but ultimately can have their credit and funds restored; this is not the case with health records. A stigmatizing diagnosis, condition or prescription in the wrong hands can cause irreversible damage and discrimination.
Ensuring ironclad protections against theft and misuses of PHI must be the price of doing business in health care. “If an entity cannot or will not protect our most sensitive data, they should not be in the health care business,” said Katz.
Signing organizations to the HHS letter include: American Association of People with Disabilities, American Civil Liberties Union, American Council of the Blind, Clinical Social Work Association, Consumer Action, JustHealth, The Multiracial Activist, The National Coalition of Mental Health Professionals and Consumers, Patient Privacy Rights, Private Citizen, Inc., Telecommunications for the Deaf & Hard of Hearing, Inc., and the U.S. Bill of Rights Foundation.
Letter from Coalition for Patient Privacy:
http://www.patientprivacyrights.org/site/DocServer/HHS_CommentsIFRBreach_Final.pdf?docID=6161
Source: Coalition for Patient Privacy