CAP en EspaƱol
Small CAP Banner

CAP Comments on HHS Health Data Breach Guidelines

SOURCE: istockphoto

Strong technical standards should be built into proposed data breach guidelines for health care records as more health information technology is implemented through spending from the American Recovery and Reinvestment Act.

  • print icon
  • SHARE:
  • Facebook icon
  • Twitter icon
  • Share on Google+
  • Email icon

Download the comments (pdf)

The American Recovery and Reinvestment Act of 2009 imposes a new duty on health care providers and insurers to notify affected individuals about any breach of their personal health data. The Department of Health and Human Services has asked for comments on the first national guidelines for these medical data breaches.

The Center for American Progress submitted comments today to HHS about the data breach guidelines, together with the Markle Foundation’s Connecting for Health Initiative, the Center for Democracy and Technology, and other signatories. The comments explain why strong data breach guidelines are essential to the success of ARRA’s unprecedented public investment in health information technology.

Health IT can and must transform health care. It can improve the quality of care, reduce medical errors, promote prevention, and reduce costs. The health IT initiative depends on the degree to which patients and consumers trust that health information will be protected from inappropriate use and disclosure. Large, unnecessary data breaches could undermine confidence in health care privacy and security. The new data breach guidelines, therefore, are a crucial way to reduce the number of breaches and build privacy and security effectively into the new health IT infrastructure.

The proposed national guidelines, like some existing state laws, generally require notice to individuals about breaches but create exclusions where effective technical measures protect the individual data. The comments today emphasize that breach notice exclusions should be limited to data formats that are very resistant to access by unauthorized persons. Second, the exclusions should provide incentives to protect personal health information for entities holding health care data to use state-of-the-art practices and technologies. The real value of identifying exclusions from breach notice requirements is to encourage the use of the best available methodologies, offering greater data protection.

The comments we have submitted are consistent with this view. The comments:

  • Support the strong encryption and data destruction standards included in the current guidelines.
  • Recommend adding to the list of accepted technologies and methodologies a one-way hash function, a technical approach that is particularly useful for comparing population-level data sets without unnecessarily exposing patient data.
  • Urge HHS not to add the “limited data set” to the list of the technologies and methodologies because that approach does not employ the technical levels of protection achieved through encryption and one-way hashing.
  • Ask HHS to emphasize that the technologies and methodologies are in addition to the existing requirement to use the minimum amount of data necessary to accomplish a particular purpose.
  • Recommend that HHS carefully examine unintended and possibly negative consequences of creating an exclusion based on biometric approaches to safeguarding devices that contain personal health information.
  • Recommend careful study of the existing “de-identification” standard under the Health Insurance Portability and Accountability Act medical privacy rule, and consider whether data currently defined as “de-identified” should remain outside of HIPAA, including with respect to breach notification.
  • Urge HHS to expressly commit to annually reviewing the data breach guidance and set forth a process for doing so.
  • Recommend HHS use threat profiles as part of this annual review to evaluate the potential of policies, technologies, and methodologies to protect and secure personal health information.

Download the comments (pdf)

Read more on implementing health IT from CAP:

A Historic Opportunity: Wedding Health Information Technology to Care Delivery Innovation and Provider Payment Reform

To speak with our experts on this topic, please contact:

Print: Liz Bartolomeo (poverty, health care)
202.481.8151 or

Print: Tom Caiazza (foreign policy, energy and environment, LGBT issues, gun-violence prevention)
202.481.7141 or

Print: Allison Preiss (economy, education)
202.478.6331 or

Print: Tanya Arditi (immigration, Progress 2050, race issues, demographics, criminal justice, Legal Progress)
202.741.6258 or

Print: Chelsea Kiene (women's issues,, faith)
202.478.5328 or

Print: Benton Strong (Center for American Progress Action Fund)
202.481.8142 or

Spanish-language and ethnic media: Jennifer Molina
202.796.9706 or

TV: Rachel Rosen
202.483.2675 or

Radio: Sally Tucker
202.481.8103 or