The new health care data breach notification law, which is set to go into effect Wednesday, has drawn harsh criticism from privacy advocates.
Late last month, the U.S. Department of Health and Human Services (HHS) issued an interim final rule requiring health care organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations to notify individuals whose information has been breached. But privacy advocates contest a “harm threshold” provision of the interim final rule, which states that if a breach occurs, organizations should conduct a risk assessment and only need to issue breach notifications if they believe disclosure of the information “poses some harm to the individual.”
Harley Geiger, legal counsel at the Center for Democracy and Technology (CDT), told SCMagazineUS.com on Tuesday that Congress intended for the federal rule to incentivize proactive data protection measures, such as encryption. For example, if the data involved in a breach is rendered unusable by encryption, companies do not have to issue breach notifications, the interim final rule states.
But the harm threshold “cripples” any incentive to protect data, Geiger said.
“Ultimately this weakens patient privacy and the transparency of health care companies,” Geiger said.
Automated summary from: SC Magazine
