The Obama administration is rewriting the new rules governing the notification of a health data breach.
The rules cover when a healthcare organization must tell patients about the improper use or disclosure of medical record data. As they are now, the rules say providers and insurer must notify patients if the breach poses “a significant risk of financial, reputational or other harm.”
Ah, but how do you define harm? That’s the problem. Congress and consumer groups are crying foul about the language, saying the rules don’t adequately protect patients. Hospitals and insurers tend to support the rules.
At the urging of the White House, Health and Human Services secretary Kathleen Sebelius has withdrawn the rules for further consideration, according to The Times.
Hospitals and insurers were often reluctant to notify patients, Beth Givens, director of the Privacy Rights Clearinghouse, told the newspaper, because: “Few things could be more damaging to an institution’s reputation than having to admit that it has lost or someone allowed others to intrude into its patients’ private medical data.”
What do you think about that? How does the disclosure of patient medical data affect the reputation of a healthcare provider or institution? Should the rules be stricter?