In a letter issued on October 1st, Congressional House leaders of the Energy and Commerce and Ways and Means committees oppose “the high bar” that the Department of Health and Human Services (HHS) has set for breach notification.
The breach notification regulations were enacted pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA). Published as interim final regulations in the Federal Register on August 24, 2009, they require health care entities to notify individuals and HHS if there has been an unauthorized use or disclosure (‘breach”) of electronic personal health data.
These regulations, however, include a “substantial harm” standard, which does not require breach notification to individuals or HHS if the breaching entity believes there is no significant risk of financial, reputational or other harm to the individual.
According to the letter, the substantial harm standard is not consistent with Congressional intent. “In drafting [the enacting statute], Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.”
The letter urges HHS to revise or repeal the harm standard provision and calls for greater transparency through a “black and white standard,” which would allow individuals to assess the level of harm caused by a breach of their health information, and permit them to judge the quality of an entity’s privacy protection based on the true number of breach occurrences.