Pressure is mounting for HHS to revamp a provision in an interim final rule that would give hospitals and other providers wide authority to decide if a privacy breach is harmful to a patient, a policy that lawmakers who authored the legislation the rule is based on have decried and patient advocates are calling backward.
Patient advocates have joined key lawmakers in urging HHS to reverse course on the harm standard and not let hospitals and other providers make the determination about whether a breach will be harmful or not. Groups behind the push include the Coalition for Patient Privacy, the Center for Democracy and Technology, and Consumer Watchdog. Also signing CDT’s comment letter were Consumers Union, AARP and Microsoft.
Aligned on the other side are heavyweight stakeholders like the American Hospital Association, the Medical Group Management Association and the American Association of Medical Colleges, who all argue that the burden and the cost of breach notifications are too high and support the harm standard.
The lawmakers who crafted the provisions of the stimulus bill that include the breach notification language, however, were clear in an Oct. 1 letter to HHS that the law does not include a harm standard and called on HHS Secretary Kathleen Sebelius to drop that language (see Inside CMS, Oct. 15).
A spokesman for HHS said the agency would not respond to questions about the lawmakers’ concerns while the comment period was open. Inside CMS again asked the agency to comment after the comment period closed, but an HHS spokesman did not immediately respond.
Ashley Katz, executive director of Patient Privacy Rights, said that members of her coalition met with HHS officials about the regulation and said she is hopeful the agency will reverse course. Katz said she met with Georgina Verdugo, who was appointed as director of the HHS office of civil rights after the rule was written. Verdugo has an extensive background in civil rights, having served as chief of the Mexican American Legal Defense and Educational Fund, Deputy Assistant Attorney General in the U.S. Department of Justice’s Office of Legislative Affairs in the Clinton administration and Chief of Staff for Rep. Lucille Roybal-Allard (D-CA).
Complicating matters, the HHS and the Federal Trade Commission are interpreting the law differently.
While the HHS interim final rule would allow hospitals and other providers to determine if a breach was harmful for a patient, a rule issued by the Federal Trade Commission the same day (Aug. 25) takes the opposite approach.
"Because health information is so sensitive, the Commission believes the standard for notification must give companies the appropriate incentive to implement policies to safeguard such high-sensitive information," the FTC wrote in its rule.
The FTC noted in the rule the difference between financial and health information, quoting comments from the Coalition for Patient Privacy: "With a breach of financial records, a consumer faces a significant headache, but ultimately can have their credit and funds restored; this is not the case with health records. A stigmatizing diagnosis, condition or prescription in the wrong hands can cause irreversible damage and discrimination," the rule states.
It is especially ironic, one privacy advocate noted, that the rules from both agencies suggest that the goal of each agency is to "harmonize" the two rules as much as possible, and yet on such a key issue, the two rules are bipolar opposites.
"It’s very difficult not to wonder who was whispering in their ear. You hope that they act on the urging from Congress, and on urging from consumers and they fix it. If they don’t its a terrible precedent," said Katz.
The comment period on the interim final rules ended Oct. 25.
The FTC rule takes into account the vastly different privacy issues surrounding financial data and clinical information, Katz said.
"You can fix your credit," Katz said. "You can’t delete from your employers memory the fact that you are taking anti-anxiety medicine."