Following the Department of Health and Human Services' issuance of an interim final rule governing notification of breaches of protected health information, industry representatives and members of Congress submitted letters of comment to HHS Secretary Kathleen Sebelius. Here's a sampling of comments.

House Reps. Oppose Breach Rule

Six leaders of the House Ways and Means and Energy and Commerce Committees - five Democrats and one Republican - sent the following letter to Secretary Sebelius:

"We are deeply concerned about the high bar that the Department of Health and Human Services has set for notification of individuals in the case of an unauthorized use or disclosure of personal health information in its Aug. 24, 2009, interim

final regulations on Breach Notification for Unsecured Protected Health Information promulgated pursuant to the American Recovery and Reinvestment Act of 2009. This is not consistent with Congressional intent.

"ARRA included provisions promoting health information technology as a foundation for quality and efficiency improvements in the U.S. health care system. However, these benefits can be fully realized only with the inclusion of strong safeguards that protect the privacy and security of individuals' personal health information. To gain the public trust, it is imperative that there is effective implementation of those provisions by HHS.

"Section 13402 of ARRA requires health care entities to notify individuals if there is an 'unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.' In its interim final rule, HHS interpreted the term 'compromises' to include a substantial harm standard. If the breaching entity decides there is no significant risk of financial, reputational or other harm to the individual, that provider or health insurer never has to notify their patients that their sensitive health information was used or disclosed in violation of the federal privacy rule.

"ARRA's statutory language does not imply a harm standard. In drafting Section 13402, Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.

"In fact, during development towards final policy, the Committee on Energy and Commerce released a discussion draft of health information technology and privacy legislation in May of 2008. In that draft, in addition to a definition of breach similar to that used here, the language specifically included a harm standard that was later rejected. The discussion draft only required patients to be notified if the unauthorized use of personal health information could 'reasonably result in substantial harm, embarrassment, inconvenience or unfairness to the individual.'

"Members considered the comments they received, the practices of States, and ultimately decided against inclusion of a harm standard. Instead, Members reported and passed legislation that has a black and white standard for notification with a safe harbor for information that is rendered unusable, unreadable, or indecipherable to unauthorized individuals, and other specific exceptions. The primary purpose for mandatory breach notification is to provide incentives for health care entities to protect data, such as through strong encryption or destruction methodologies and to allow individuals to assess the level of unauthorized use or disclosure of their information. Such transparency allows the consumer to judge the quality of a health care entity's privacy protection based on how many breaches occur, enabling them to choose entities with better privacy practices. Furthermore, a black and white standard makes implementation and enforcement simpler.

"We urge HHS to revise or repeal the harm standard provision included in its interim final rule at the soonest appropriate

opportunity. We hope to work more closely with the agency on future privacy regulations and request this letter be submitted as part of the official comments (reference number RIN 0991-AB56). Thank you for your ongoing commitment and attention to protecting American's health information privacy."

Signing the letter were Democrats Henry Waxman, Charles Rangel, John Dingell, Frank Pallone Jr., Pete Stark and Republican Joe Barton.

Group: Rule Flouts Congressional Intent

Consumer Watchdog, an advocacy organization, has called on Health and Human Services Secretary Kathleen Sebelius to repeal the new health information breach notification rule, saying it flouts congressional intent.

Section 13402 of the American Recovery and Reinvestment Act requires notification if there is unauthorized acquisition, access, or use of disclosure of protected health information that compromises the security and privacy of the information, the organization said in an Oct. 22 letter to Sebelius. "This is a simple, black and white standard," according to the letter. "If there is a breach, there must be notification."

But HHS in its rule "inexplicably" changed the requirements for necessitating notification of breaches, according to Consumer Watchdog. "You have decided to interpret 'compromises the security' of data to include a substantial harm standard," the organization told Sebelius. "Under the HHS interpretation, if the breaching entity decides there is no significant risk of financial, reputation or other harm to the individual, the provider or health insurer never has to disclose that the sensitive information was used or disclosed in violation of the federal privacy rule. In other words, the company responsible for protecting the sensitive data gets to decide if it needs to bother to tell anyone that sensitive health data was breached. This is simply outrageous."

The organization, in its letter to Sebelius, questions whether health care lobbyists had undue influence on HHS' rule making process.

AHA Comments on Breach Rule

The American Hospital Association supports the inclusion of a "risk threshold" in the Department of Health and Human Services' interim final rule covering breach notifications, according to a comment letter sent to HHS officials.

Under the interim final rule, an organization that experiences a breach of protected health information need not provide notification if it determines there is no significant harm to affected individuals. This level of standard is consistent with a majority of state breach notifications, according to the AHA.

"We believe that it is critical to the successful implementation of a federal breach notification policy that patients be notified of breaches that pose a significant risk of harm, yet not receive countless notices of breaches that do not pose harm," the AHA letter states. "Therefore, we strongly encourage HHS to maintain its definition of 'breach' in finalizing this rule."

Other AHA comments include:

  • HHS should identify - beyond use of a limited data set where certain identifying information is removed - other situations in which inadvertent use and disclosure does not compromise PHI and warrant a breach notification. "For example, there are many conceivable situations in which inadvertent disclosures from one covered entity to another would not compromise the privacy or security of the information, such as where a hospital sends information to the wrong physician practice, mistakenly and in good faith. In this circumstance, both the disclosing and receiving entities already are bound by the HIPAA privacy rule's obligation to mitigate harm."
  • Covered entities should not be required to determine whether a business associate is an "agent" or "contractor" of a covered entity. Such a determination could affect establishment of when a covered entity learned of a breach. The AHA asks HHS to clarify that all business associates are covered under the HIPAA privacy rule, "which details when a business associate must notify a covered entity of a breach, and that a covered entity will only 'discover' a breach when informed of the breach by its business associate consistent with this timing requirement," according to the comment letter.

Full text of the letter is available at www.aha.org.

This information can also be found at HealthDataManagement.com.