Consumer Watchdog Asks HHS to Repeal Rule Allowing Health Care Providers to Decide When Notification of Breached Electronic Medical Records is Necessary

Consumer Watchdog Asks HHS to Repeal Rule Allowing Health Care Providers to
Decide When Notification of Breached Electronic Medical Records is Necessary





'Harm Standard' Violates Congressional Legislative Intent In Protecting
Privacy


WASHINGTON, Oct. 22 /PRNewswire-USNewswire/ -- Consumer Watchdog today called
on the Health and Human Services Department to repeal a rule that allows
health care providers and insurers to decide whether consumers must be
notified when the security of their electronic confidential health information
has been breached.


In a letter to HHS Secretary Kathleen Sebelius the nonprofit, nonpartisan
consumer advocacy group said the HHS regulation violated the intent of
Congress when it charged the department with writing the rules requiring
notification if electronic medical records are breached. Consumers must be
notified whenever there is a breach of medical records, the group said.


The American Recovery and Reinvestment Act of 2009 (ARRA) requires
notification if there is an "unauthorized acquisition, access, use, or
disclosure of protected health information which compromises the security or
privacy of such information."  The act charged HHS with writing and
implementing the rules.  But HHS decided to interpret "compromises the
security" of data to include a substantial harm standard. 


"Under the HHS interpretation, if the breaching entity decides there is no
significant risk of financial, reputation or other harm to the individual, the
provider or health insurer never has to disclose that the sensitive
information was used or disclosed in violation of the federal privacy rule,"
wrote John M. Simpson, consumer advocate. "In other words, the company
responsible for protecting the sensitive data gets to decide if it needs to
bother to tell anyone that sensitive health data was breached.  This is simply
outrageous."


Consumer Watchdog asked what prompted HHS to flout Congressional intent.
"Could it be that Congress managed to fend off the pressures of the health
care industry in passing ARRA only to have the lobbyists return to exert their
influence on the rule making process?"


Read Consumer Watchdog's letter here:
https://www.consumerwatchdog.org/resources/LtrSebelius102209.pdf


Consumer Watchdog noted that  Rep. Henry Waxman, Rep. Charles B. Rangel, Rep.
John Dingell, Rep. Frank Pallone Jr., Rep. Pete Fortney Stark and Rep. Joe
Barton have written Secretary Sebelius protesting that the HHS rule violates
Congressional intent. The Congressmen's letter said:


"The primary purpose for mandatory breach notification is to provide
incentives for health care entities to protect data, such as through strong
encryption or destruction methodologies and to allow individuals to assess the
level of unauthorized use of disclosure of their information.  Such
transparency allows the consumer to judge the quality of a health care
entity's privacy protection based on how many breaches occur, enabling them to
choose entities with better privacy practices. Furthermore, a black and white
standard makes implementation and enforcement simpler."


Read the Congressional letter here:
https://www.consumerwatchdog.org/resources/LtrCongSebelius.pdf


Consumer Watchdog said that the Federal Trade Commission, charged with writing
breach regulations for non-HIPPA covered entities such as Personal Health
Records vendors  like Google Health did not find any justification for
introducing a "harm" standard.  "The FTC remained true to Congressional intent
and to promoting the public interest," the letter said.


Consumer Watchdog is a nonpartisan consumer advocacy organization with offices
in Washington, D.C. and Santa Monica, CA. Find us on the web at:
http://www.ConsumerWatchdog.org






SOURCE  Consumer Watchdog

John M. Simpson,  Cell: +1-310-292-1902, Carmen Balber, +1-202-629-3043, both
of Consumer Watchdog