RSS | Newsletters | Facebook CAP en EspaƱol
Center for American Progress Center for American Progress
Issues Domestic Health Care

CAP Comments on HHS Health Data Breach Guidelines

SOURCE: istockphoto

Strong technical standards should be built into proposed data breach guidelines for health care records as more health information technology is implemented through spending from the American Recovery and Reinvestment Act.

By Peter Swire | May 22, 2009

Download the comments (pdf)

The American Recovery and Reinvestment Act of 2009 imposes a new duty on health care providers and insurers to notify affected individuals about any breach of their personal health data. The Department of Health and Human Services has asked for comments on the first national guidelines for these medical data breaches.

The Center for American Progress submitted comments today to HHS about the data breach guidelines, together with the Markle Foundation's Connecting for Health Initiative, the Center for Democracy and Technology, and other signatories. The comments explain why strong data breach guidelines are essential to the success of ARRA’s unprecedented public investment in health information technology.

Health IT can and must transform health care. It can improve the quality of care, reduce medical errors, promote prevention, and reduce costs. The health IT initiative depends on the degree to which patients and consumers trust that health information will be protected from inappropriate use and disclosure. Large, unnecessary data breaches could undermine confidence in health care privacy and security. The new data breach guidelines, therefore, are a crucial way to reduce the number of breaches and build privacy and security effectively into the new health IT infrastructure.

The proposed national guidelines, like some existing state laws, generally require notice to individuals about breaches but create exclusions where effective technical measures protect the individual data. The comments today emphasize that breach notice exclusions should be limited to data formats that are very resistant to access by unauthorized persons. Second, the exclusions should provide incentives to protect personal health information for entities holding health care data to use state-of-the-art practices and technologies. The real value of identifying exclusions from breach notice requirements is to encourage the use of the best available methodologies, offering greater data protection.

The comments we have submitted are consistent with this view. The comments:

  • Support the strong encryption and data destruction standards included in the current guidelines.
  • Recommend adding to the list of accepted technologies and methodologies a one-way hash function, a technical approach that is particularly useful for comparing population-level data sets without unnecessarily exposing patient data.
  • Urge HHS not to add the “limited data set” to the list of the technologies and methodologies because that approach does not employ the technical levels of protection achieved through encryption and one-way hashing.
  • Ask HHS to emphasize that the technologies and methodologies are in addition to the existing requirement to use the minimum amount of data necessary to accomplish a particular purpose.
  • Recommend that HHS carefully examine unintended and possibly negative consequences of creating an exclusion based on biometric approaches to safeguarding devices that contain personal health information.
  • Recommend careful study of the existing “de-identification” standard under the Health Insurance Portability and Accountability Act medical privacy rule, and consider whether data currently defined as “de-identified” should remain outside of HIPAA, including with respect to breach notification.
  • Urge HHS to expressly commit to annually reviewing the data breach guidance and set forth a process for doing so.
  • Recommend HHS use threat profiles as part of this annual review to evaluate the potential of policies, technologies, and methodologies to protect and secure personal health information.

Download the comments (pdf)

Read more on implementing health IT from CAP:

A Historic Opportunity: Wedding Health Information Technology to Care Delivery Innovation and Provider Payment Reform

To speak with our experts on this topic, please contact:

Print: Katie Peters (economy, education, and health care)
202.741.6285 or kpeters1@americanprogress.org

Print: Christina DiPasquale (foreign policy and security, energy)
202.481.8181 or cdipasquale@americanprogress.org

Print: Laura Pereyra (ethnic media, immigration)
202.741.6258 or lpereyra@americanprogress.org

Radio: Anne Shoup
202.481.7146 or ashoup@americanprogress.org

TV: Lindsay Hamilton
202.483.2675 or lhamilton@americanprogress.org

Web: Andrea Peterson
202.481.8119 or apeterson@americanprogress.org

Subscribe to RSS Feeds

RSS IconSite-Wide and Issue-Specific RSS Feeds

Related Materials

Gathering Sexual Orientation and Gender Identity Data in Health IT, by Kellan Baker

Innovation Across Government

The Case for the Individual Mandate in Health Care Reform, by Neera Tanden, Topher Spiro

Giving Visibility to Gay and Transgender Health Care , by Kellan Baker, Jeff Krehely

Comments on Essential Health Benefits, by Topher Spiro

Also by Peter Swire

Consumers Matter in Mortgage-Servicing Compensation Decision, December 20, 2011

Internet Privacy: The Impact and Burden of EU Regulation, September 15, 2011

Effective National Mortgage Servicing Standards Are Essential, August 8, 2011