CDT Joint Comments to HHS on Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements

CDT, together with the Markle Foundation, the Center for American Progress and others, filed comments with the Department of Health and Human Services (HHS) in response to new requirements on how health care organizations notify patients about breaches of “unsecured” health data. The HHS guidance listed techniques that could “secure” data and remove the breach notification requirement. In the comments, CDT supported strong cryptographic solutions and destruction standards, but argued against HHS including the “limited data set,” where certain identifiers are stripped from patient health data, because the risk of re-identification is too great. CDT also urged HHS to ensure consistent privacy protections for personal health records (PHR) regardless of whether or not the entity offering the PHR is covered by HIPAA.