On Wednesday, the U.S. Dept. of Health and Human Services (HHS) released its interim final rule on health data breach notification. The interim rule establishes, among other things, technological standards regarding how to secure health information strongly enough to obviate the need to notify consumers of a data breach. The public has 60 days to comment on the interim rule provisions before they are final. CDT had issued comments to the HHS rulemaking in May 09.
Health care providers are required by law to notify consumers when unsecured protected health information is breached. In this interim ruling, HHS offered guidance on what “unsecured protected health information” means. HHS identified technologies and methodologies that would adequately “secure” personal health data. If the data is breached, health care providers properly using these technologies or methodologies need not notify consumers of the breach. Two of those technologies/methodologies are strong data encryption and destruction standards. CDT supported the approach of offering this exception to notification because it gives companies an incentive to strongly protect consumer data. However, CDT’s comments made clear that such data protections are but one necessary component of a comprehensive framework needed to foster HIT privacy. CDT’s comments recommended that HHS decline to add the “limited data set” to the methodologies that secure health data. Under the HIPAA law, the “limited data set” is data with certain identifiers stripped from it.
However, CDT cited research indicating that a significant portion of the population could still be re-identified with the information contained in the limited data set. Referencing this risk in the interim ruling, HHS agreed that the limited data set alone was not a proper way to secure health information. However, HHS offered an exception to this standard: health care entities and business associates must perform a risk assessment after a data breach of a limited data set, and if this assessment determines that there is “no significant risk of harm” to the individual, then the entity does not need to notify the individual. This appears to be an internal decision on the part of the company.
CDT’s comments also recommended that HHS emphasize that the technologies and methodologies are not a substitute for the existing legal requirement to use the minimum amount of health data necessary for a particular purpose. In HHS‘ interim rule, it notes that uses or disclosures that impermissibly involve more health data than the minimum necessary may qualify as a breach. The rule also notes that exceptions related to limited data sets should not encourage or allow the use or disclosure of more health data than the minimum necessary.
CDT’s comments further urged HHS not to include access safeguards, like fingerprint protected USB drives, as a technology/methodology that secures health data. CDT argued that such safeguards, while a useful layer of protection, do not offer the same degree of protection as encrypting the underlying data on the device. Once the access is broken, the information is vulnerable. Noting this reasoning in the interim final rule, HHS agreed that access controls do not offer enough protection to qualify for the notification exception.
This HHS interim final rule came a day after a similar final rule on personal health records (PHRs) from the Federal Trade Commission (FTC). The FTC rule guides entities who are not covered by HIPAA, whereas the HHS rule guides HIPAA-covered entities. (To learn more details about the FTC rule and CDT’s comments to that rulemaking, please see our previous blog post, here.) CDT recommended that HHS work with the FTC to ensure that Personal Health Records (PHRs) have consistent privacy and security protections, including breach notification provisions germane to PHRs. In the interim rule, HHS acknowledges that it worked with the FTC to ensure that the notification regulations are in sync when PHR vendors are subject to both HHS‘ and FTC’s rules.