Consumer Watchdog, an advocacy organization, has called on Health and Human Services Secretary Kathleen Sebelius to repeal the new health information breach notification rule, saying it flouts congressional intent.
Section 13402 of the American Recovery and Reinvestment Act requires notification if there is unauthorized acquisition, access, or use of disclosure of protected health information that compromises the security and privacy of the information, the organization said in an Oct. 22 letter to Sebelius. “This is a simple, black and white standard,” according to the letter. “If there is a breach, there must be notification.”
But HHS in its rule “inexplicably” changed the requirements for necessitating notification of breaches, according to Consumer Watchdog. “You have decided to interpret ‘compromises the security’ of data to include a substantial harm standard,” the organization told Sebelius. “Under the HHS interpretation, if the breaching entity decides there is no significant risk of financial, reputation or other harm to the individual, the provider or health insurer never has to disclose that the sensitive information was used or disclosed in violation of the federal privacy rule. In other words, the company responsible for protecting the sensitive data gets to decide if it needs to bother to tell anyone that sensitive health data was breached. This is simply outrageous.”
Consumer Watchdog also noted that six House Democrats have written to Sebelius protesting the “substantial harm” standard, and the Federal Trade Commission’s beach notification rule covering personal health records includes no such standard. The organization, in its letter to Sebelius, questions if health care lobbyists had undue influence on HHS’ rule making process.