The Undefined Price of Patient Privacy

August 2, 2010

When does a data beach become “harmful” to patients? Tough question, right? Well, just like you, the HHS would like to take a little bit longer to answer the question.

When does a data beach become “harmful” to patients? Tough question, right? Well, just like you, the HHS would like to take a little bit longer to answer the question.

As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, HHS issued a final rule on data breach notifications and sent it along to the Office of Management and Budget for review in May. Last week, however, HHS decided it would withdraw that rule, “to allow for further consideration,” given its “experience to date in administering the regulations,” according to a department statement.

The main crux of the issue surrounds the controversial “harm standard” in the HHS rule, allowing business entities - including physician’s offices - that suffer a data breach to make the determination as to whether the incident was harmful to individuals, i.e. patients. If the providers and others determine that there was no true risk, they do not have to reveal the breach, under the submitted rule.

Needless to say, the rule was met with opposition from patients’ rights groups and even a handful of members of Congress who essentially said a breach is a breach and in any such case, an individual should be notified.

The withdrawal of the rule regarding the “harm standard” was met with approval by the Coalition for Patient Privacy, who called the move “a huge step in the right direction,” noting that letting business entities determine whether to report data breaches was akin to “letting the fox guard the hen house.”

Now the HHS admits that this is a “complex issue,” per their statement on withdrawing the “harm standard.” The agency also notes that it wants patient health information “secured to the extent possible to avoid unauthorized uses and disclosures, and ensure that individuals are appropriately notified when incidents do occur.”

But the question remains: Why not notify patients for every breach?

Yes, there is a cost to contact hundreds - possibly thousands - of patients should a laptop get stolen, for example, but what is the price tag on a violation of privacy? I’m not the first to ask this question. Just look at recent SEC and other government entity settlements on the matter, including pharmacy Rite Aid. The company recently paid $1 million to settle possible HIPAA violations over discarded pill bottles.

Some may see this as extreme, but remember, just like your credit card information, date of birth, social security number, and countless other pieces of a person’s identity, health information belongs to the individual and it is up to them, and only them, to decide who gets to have access.

So I say kudos to the HHS for taking a little more time to look at data breaches and perhaps the threat of a costly notice will be enough for folks to ensure patient information is securely behind lock and key.