Skip to Content

CDT Notes Areas of Concern in Comments to HHS on Breach Notification Rules

Washington – CDT’s Health Privacy Project (HPP) submitted comments Oct. 23 that outlined several areas of concern regarding the Department of Health and Human Services breach notification rules.

"The rules adopted by HHS give too much discretion to health care organizations when deciding if a breach of personal health information is serious," said HPP Director Deven McGraw.  "The rules give health care organizations discretion to make a value judgment on whether consumers would be harmed by a breach," McGraw said. "This approach undermines the intent of the law, which is to provide information to consumers when their information is at risk."

HHS should revise its standard on when to notify patients that their data has been breached, CDT says in its comments.  That standard should be revised to include transparency for consumers and incentives for health care organizations to use strong policies and privacy enhancing technologies, such as encryption, to protect data.  However, the standard shouldn’t be so strict that consumers and health care organizations are burdened with notifications for every minor infraction, CDT says.

To help correct the problems areas of the new breach notification rules CDT offered several recommendations, which include:

  • Revise the individual harm standard that HHS uses as a trigger for having to notify that a breach has taken place;
  • Replace the harm standard with a risk assessment approach that requires organizations to determine whether the data was actually viewed or acquired by an unauthorized person, or was subjected to (or at risk of) further misuse, or whether, in the case of anonymized data, it was re-identified;
  • Issue annual or at least periodic guidance on best risk assessment practices for breach notification; and
  • Amend the Privacy Rule so that the privacy notice of any health care organization offering consumers a personal health record must clearly state how it uses and discloses information in that record.

CDT wrote its comments in conjunction with the Markle Foundation.