I’ve often disagreed with the Center for Democracy & Technology, but I laud them for pointing out the glaring holes in proposed federal data security and data breach notification laws that exclude health information. Harley Geiger writes:
One of the negative side-effects of the sectoral approach the United States has taken to privacy regulation is confusion over whether certain types of personal information are protected under existing rules. Specifically, many people – and, it appears, legislators – seem to assume that all health information is protected under HIPAA. This is incorrect, however, and the assumption that health information is already fully protected in commercial contexts may be leading to its exclusion in proposed data breach bills currently circulating in Congress. Not only do the bills fail to protect health data, but the preemption clauses in some of the bills would prevent state legislatures from enacting their own health privacy safeguards. As a result, if any of the data breach bills introduced in this Congress pass as currently written, a commercial entity that loses, say, your full name and a list of your medications would not be obligated to notify you.
Read more on CDT.