HHS' New Harm Standard for Breach Notification
In late August, the Dept. of Health and Human Services (HHS) released an interim final rule on health data breach notification. Through the rule, HHS establishes data security standards that HHS believes are strong enough to eliminate the need to notify consumers of a data breach. That is, if a health care entity applies one of these security processes to its data, and then that data is lost or otherwise breached, the entity does not have to inform patients. Some of the rule's security processes are quite good, such as strong encryption standards. Unfortunately, however, HHS packed an overly broad and unreliable standard in with the good ones: the "harm standard."
(CDT had issued comments to the HHS rulemaking in May 09. For more information about the interim final rule and CDT's comments, please see our earlier blog post.)
The American Recovery and Reinvestment Act of 2009 (ARRA) required HHS to issue a rule on breach notification. In its interim final rule, HHS established a harm standard: breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to individual." In the event of a breach, HHS' rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities never have to tell their patients that their sensitive health information was breached.
The primary purpose for mandatory breach notification is to provide incentives for health care companies to protect data. Breach notification is costly to health care companies, both in financial and reputational terms. Therefore, health care companies naturally seek to avoid this expense. In its interim final rule, HHS gave health care companies the opportunity to avoid notification if the companies protect the data through strong encryption or destruction methodologies.
However, the harm standard institutionalized in HHS' interim final rule cripples this crucial incentive. For breach notification purposes, it no longer matters whether health care companies protect data via encryption so long as the companies decide that the breach poses no significant risk of harm to the patient. This decision is an internal process made by companies with a financial and reputational bias against notification. Although HHS can ask the company for documentation on the breach, HHS is unlikely to do so unless someone complains. But if the patient is not notified, who will complain?
Now, if a health care company consistently makes an error that it determines carries insignificant risk of harm to the patient, what incentive is there for the company to fix it? They never have to tell anyone unless, of course, harm actually occurs. But then it is too late.
ARRA defines the term "breach" as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." In its interim final rule, HHS interpreted the term "compromises" to include a harm standard. Yet ARRA's statutory language implies no such thing. Read closely, the statutory language refers to compromising the privacy or security of data, not the finances or reputation of the patient. If patient data is acquired without authorization, the privacy of the data is impaired regardless of whether the patient is harmed. To put it another way, mere exposure of private data to an unauthorized person compromises the privacy of that data.
In its interim rule, HHS further justifies the imposition of a harm standard by saying it will reduce the likelihood that patients will receive a multitude of unnecessary breach notices that will cause undue panic. This line of reasoning is related to the argument made by the health care industry that the primary purpose of breach notification is to inform consumers of the steps they can take to protect themselves from the consequences of the breach.
That logic is erroneous because a major purpose for breach notification is transparency. Under the law, the notification must also lay out the steps the health care entity is taking to correct the problem and to prevent it from happening again. If notification were only about advising patients on how to protect themselves, the latter requirement would be pointless. Instead of the harm standard, a better solution would have been to require that breach notifications to patients include the health care entity's assessment of the risk.
Patients should be made aware of when the institutions to which they've entrusted their data impair the privacy of that data, even when the risk of harm to the patient is not high. This helps the consumer judge the quality of a health care entity's privacy protection based on how many anomalies occur, enabling them to choose to entrust their data to entities with better privacy practices. This is another way for consumers to proactively defend their privacy, but they must be notified for it to work.
The concern over sending too many breach notifications to patients implies that the industry anticipates a high number of breaches. The best way for industry to cut down the number of notifications would be to strengthen their privacy and security practices. Instead, HHS' overbroad harm standard raises the risk that companies' cost and convenience will override patients' interests in transparency and in motivating health care companies to adopt strong privacy and security standards.
The basic premise behind a harm standard makes some sense, but HHS must set better parameters around the risk assessment. If the breached information was never accessed or acquired by an unauthorized party, there is likely no need for notification. This would bring HHS' harm standard closer to the more consumer-friendly "rebuttable presumption of acquisition" standard that the Federal Trade Commission established in its own breach notification rule. Yet a nuanced discussion of the type of harm standard that might be most appropriate in this context never took place before HHS issued this interim final rule.
HHS gave no indication whatsoever that this crucial point was even under consideration in the original Request for Information that morphed into this rule. Thus, there was no meaningful opportunity for public debate on the desirability of a harm standard. Although HHS gives the public 60 days to comment on the interim final rule before it becomes truly final, the comments may not be addressed until the first annual update to the rule in April 2010. The statute takes effect later this month, but won't be enforced for 180 days. Is there a "significant risk" that HHS will leave the rule unmodified? We hope not.