Comments to Department of Health and Human Services re Breach Notification for Unsecured Protected Health Information
Breach Notice Comments Submitted to U.S. Department of Health and Human Services
October 23, 2009
US Department of Health and Human Services
Office for Civil Rights, Attention: HITECH Breach Notification
Hubert H. Humphrey Building, Room 509F
200 Independence Ave, SW
Washington, DC 20201
Submitted via: www.regulations.gov
RE: RIN 0991-AB56 - Breach Notification for Unsecured Protected Health Information
To the Department of Health and Human Services:
The Privacy Rights Clearinghouse (PRC) appreciates this opportunity to comment on the Department of Health and Human Services’ (HHS or Department) interim final rules regarding breach notification to individuals in the event of unauthorized use and access of protected health information. The rules, issued in coordination with the Federal Trade Commission (FTC), are mandated by Section 13402 of the Health Information Technology for Clinical Health (HITECH) Act.
We direct our comments as follows solely on the issue of the Department’s “harm test” for determining when a data breach notice is required:
- A “harm test” undercuts individuals’ privacy rights
- A “harm test” pits the covered entity’s interest against that of individuals
- A “harm test” overstates the prospect of excessive breach notices
- A “harm test” dilutes the Department’s enforcement powers
- Conclusion and recommendations
Notice that a data breach has occurred, to be effective, serves dual purposes. First, notice allows each individual to act to protect his or her own personal information. Second, a notice may be a signal that an entity’s security practices have failed and need to be reevaluated.
The interim final rule achieves neither of these objectives.
In adopting the interim final rules, the Department has included a “harm threshold,” meaning that an unauthorized use or disclosure of protected health information (PHI) would not require notice to the individual unless the covered entity, after a self-directed risk analysis, determines there is some harm to the individual. The rule then goes one giant step further by stating there is no risk unless the covered entity determines that the individual’s information is not compromised unless the covered entity finds the breach “poses a significant risk of financial, reputational, or other harm to the individual.” 
The FTC’s final rule, in contrast, adopts the “rebuttable presumption” test, meaning that unauthorized access to health information is assumed to have occurred unless the affected entity can demonstrate otherwise. We strongly urge the Department, for the following reasons, to abandon the “harm” test in favor of the individual-favored “rebuttable presumption” test adopted by the FTC.
Privacy is a matter best left to the individual. Ask anyone what information they consider most sensitive, warranting the highest level of protection, and health-related information will surely be at the top of the list. For some, only certain bits of medical information are sensitive. For others, anything related to treatment or medical issues is off limits for discussion, even with trusted friends. True privacy and data security cannot be achieved unless individuals can independently decide what medical information is private and what is not.
Some patients who are hospitalized welcome calls and visits from family, friends, and coworkers. Others, for reasons of their own, may seek strict privacy and choose that their name not be included in a hospital’s directory. Under the Department’s significant harm test, a data breach would not occur if the hospital inadvertently published a list of patients hospitalized on any given day, whether or not the patient had opted to be in the hospital’s directory.
The interim final rules give the following example of a situation that would not require notice:
“…if a covered entity improperly discloses protected health information that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual.” 
We respectfully disagree with the rule’s assumption that the above situation may not constitute a risk of harm to at least some of the individuals affected. In this scenario, the covered entity is unlikely to have information enough to conduct a reasonable risk assessment as to each individual involved.
A person may, as one example, take vacation time or an unpaid leave of absence from work for a particular procedure, hoping to keep the fact of the hospitalization away from the employer and coworkers. Simply revealing the fact that the person was in the hospital could prompt nosey coworkers to dig deeper or employers to independently investigate the employer’s health in considering a promotion or coveted transfer.
Not only that, but the Department, in the above example, seems to assume that individual bits of information are isolated facts rather than what they are, the building blocks of personal profiles. Thanks to the Internet, almost any isolated fact can be used as the first step in accessing significant amounts of information about any of us. For instance, a patient’s name and the name of the hospital will, in addition, almost certainly indicate the area where the patient lives. For all except those with the most common names, a few minutes on the Internet and anyone, for any purpose, can have a map to the patient’s door.
The patient’s name along with the name of the hospital may, of course, not pose a risk of significant harm for all patients whose names are inadvertently published. Rather, the risk posed may vary depending on the person who gained access, the motives behind the security breach and each individual affected. The risk of harm may be different for each individual involved.
It is the individual, not the covered entity, who should decide whether a given situation poses a risk of harm. A covered entity will almost never have the ability to make blanket risk assessments that evaluate potential harm to all affected individuals.
As the breach rule now stands, notice is not required unless the covered entity determines that disclosure would result in “significant financial, reputation, or other harm.” This is precisely the potential harm the covered entity may face in having to publicly acknowledge a security lapse.
Healthcare providers and other covered entities naturally have a strong financial incentive to avoid notice. Granted, notice may be costly, and make no mistake, healthcare today is a business like any other. A healthcare provider, even with good intentions, may logically look to the bottom line in deciding when to give a breach notice.
Few things could be more damaging to an institution’s reputation than having to admit that it has lost or somehow allowed others to intrude into its patients’ private medical data. Potential financial and reputational harm is compounded with multiple data breach incidents. Indeed, a covered entity with the worst security practices may have more incentive than others to avoid public notice of a data breach.
Under the HHS version of the data breach rule, not even multiple security lapses would qualify for notice so long as the covered entity decides there is no ”significant” harm posed. Such a standard gives far too much discretion to a business whose security practices may be lax to begin with.
In short, the rule places the covered entity in the position of having to balance its own interests against those of individuals whose privacy and data security interests the covered entity, by law, must protect. In the end, short-term decisions that fail to highlight inadequate security systems could prove disastrous to both the covered entity and the patients involved.
From a privacy and data security standpoint, a breach notice should be seen as a gauge for assessing the overall effectiveness of the HIPAA Security Rule, extending to each covered entity and the healthcare industry as a whole.
HHS accepts the arguments of industry representatives who say a harm test is needed because individuals may be “flooded” with notifications about breaches. We believe the FTC got it right when that agency says, “…the danger of overnotification may be overstated.”
If indeed the industry spokespersons are right, this does not indicate that the rule is too rigid. Rather, if consumers are receiving too many breach notices telling them their protected health information has been breached, this is a certain indication that something is wrong somewhere. Multiple notices sent out by a single entity alerting consumers to a breach of privacy and security strongly suggest that this entity’s security practices are not up to par. Multiple notices from many different entities is a certain indicator of systemic problems industry wide that should be addressed by the Department or, if need be, by Congress.
On a more personal note, the PRC over the years has received thousands of questions and complaints from consumers about privacy and security of medical information. With all these contacts, the PRC has received, at most, only a handful of questions or complaints about receiving breach notices or experiencing panic because they received a notice.
The HITECH Act gives the Department as well as state attorneys general significant new powers to enforce privacy and security for protected health information. However, the interim final rules in a sense delegate the responsibility for determining what is or is not a privacy or security violation to covered entities the Department is charged with overseeing.
Reporting to the Department and public notice are required for data breaches involving more than 500 people. For breaches involving more than 500 people, a covered entity must report annually to the Department. However, as a precursor to either of these reporting and notice requirements, the covered entity must perform a risk analysis and decide whether a breach will pose significant financial, reputation, or other harm to the individuals affected.
Presumably, even a breach involving more than 500 people would not require notice or reporting to the Department unless the covered entity, after a risk assessment, were to decide the incident is not important enough to report. By the same token, it seems that not even a track record of numerous, repeated incidents would necessarily see the light of day.
Granted, the rules require a covered entity to document its risk assessment. However, there appears to be nothing in the interim final rule that requires the covered entity to routinely furnish this documentation to the Department.
If neither consumers nor the Department need be informed of a security breach, even the most egregious violations may go undetected indefinitely or until disaster strikes.
For the above reason, we urge the Department to reconsider the significant harm standard set in the interim final rule. We believe the “rebuttal presumption” standard adopted by the FTC is better suited for highly sensitive health information. As a minimum, covered entities should routinely report all data breaches to the Department, including those for which the covered entity has decided there is no risk of substantial harm.
The PRC appreciates the opportunity to comment regarding the interim final rules.
Beth Givens, Director
Privacy Rights Clearinghouse
3100 - 5th Ave., Suite B
San Diego, CA 92103
Phone: (619) 298-3396
 The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumers’ interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org
 Published at 74 Federal Register 42740 (August 24, 2009), http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
 The FTC’s final breach notification, published at 74 Federal Register 42962 (August 25, 2009), dictates breach notification for web-based entities that collect individuals’ health information but are not “covered entities” as defined by the Health Insurance Portability and Accountability Act (HIPAA) and the Department’s implementing HIPAA rules.
 47 Federal Register 42744
 47 Federal Register 42745
 74 Federal Register 42967