Lawmakers: lower bar for health IT data breach notification
Roy Mark reports:
Two key chairmen of U.S. House committees Oct. 1 urged HHS (Health and Human Services) Secretary Kathleen Sebelius to revise or appeal the agency’s controversial “harm standard” that would trigger a personal health record data breach notification.
Under the current rules, companies that secure health information using encryption or destruction, no breach notification is necessary. For those companies that don’t use encryption/destruction to protect the health data of individuals, notification isn’t necessary if the breach doesn’t rise to the harm standard established in the rules.
According to HHS’ harm standard, a data breach does not occur unless the access, use or disclosure poses a “significant risk of financial, reputational or other harm to individual.” Covered entities that suffer a data breach are required to perform a risk assessment to determine if the harm standard is met. If the entity decides the harm to an individual is not significant, no notification is required.
“This is not consistent with the Congressional intent,” Rep. Henry Waxman (D-CA), chairman of the Energy and Commerce Committee, and Rep. Charles Rangel (D-NY), chairman of the Committee on Ways, wrote to Sebelius.
Read more on eWeek.
Image credit: AP