Would a federal data breach notification law be A Good Thing or not for healthcare?
Modern Healthcare covered a Congressional hearing this week to consider a federal data breach notification law. Congress has been kicking the idea around for years, but one of the big stumbling blocks has been whether any such law would pre-empt state laws.
I have long been on record supporting a federal law that pre-empts state laws, but only if the federal law is at least as strong as the strongest state laws. I think it is unnecessarily burdensome on businesses to try to sort out 46 different breach notification laws, and feel sorry for people who live in the states that do not have any breach notification laws at all.
We need a strong law that sets clear standards for what types of information are covered – including health-related information held by non-HIPAA-covered entities – and the trigger to notification needs to be an “access or acquisition” standard without any “significant harm” threshold. The notification letter needs to include what happened, when it happened, where it happened, and how it happened as well as what types of information were involved. I’ve outlined my thoughts on these points numerous times on DataBreaches.net, including the need for transparency and a public listing of breaches that consumers and researchers can access.
In combination with any data breach notification law, however, the federal government also needs to impose some privacy and data security standards, so that any entity that collects PII or what should be PHI clearly knows its obligations on data collection, data protection, and data sharing. This would be particularly helpful given the proliferation of so many apps and health-related sites that seem to be sharing information widely.
I realize many businesses will claim that such an approach will “stifle innovation.” My response is that it will also reduce identity theft and other harms that may result from privacy breaches, will foster greater consumer confidence in businesses, and will bring U.S. law more into alignment with EU data protection laws.
In the end, I think that stronger federal laws will be good for U.S. businesses and good for consumers.