src="" />

CAP Comments on HHS Health Data Breach Guidelines

Download the comments (pdf)

The American Recovery and Reinvestment Act of 2009 imposes a new duty on health care providers and insurers to notify affected individuals about any breach of their personal health data. The Department of Health and Human Services has asked for comments on the first national guidelines for these medical data breaches.

The Center for American Progress submitted comments today to HHS about the data breach guidelines, together with the Markle Foundation’s Connecting for Health Initiative, the Center for Democracy and Technology, and other signatories. The comments explain why strong data breach guidelines are essential to the success of ARRA’s unprecedented public investment in health information technology.

Health IT can and must transform health care. It can improve the quality of care, reduce medical errors, promote prevention, and reduce costs. The health IT initiative depends on the degree to which patients and consumers trust that health information will be protected from inappropriate use and disclosure. Large, unnecessary data breaches could undermine confidence in health care privacy and security. The new data breach guidelines, therefore, are a crucial way to reduce the number of breaches and build privacy and security effectively into the new health IT infrastructure.

The proposed national guidelines, like some existing state laws, generally require notice to individuals about breaches but create exclusions where effective technical measures protect the individual data. The comments today emphasize that breach notice exclusions should be limited to data formats that are very resistant to access by unauthorized persons. Second, the exclusions should provide incentives to protect personal health information for entities holding health care data to use state-of-the-art practices and technologies. The real value of identifying exclusions from breach notice requirements is to encourage the use of the best available methodologies, offering greater data protection.

The comments we have submitted are consistent with this view. The comments:

  • Support the strong encryption and data destruction standards included in the current guidelines.
  • Recommend adding to the list of accepted technologies and methodologies a one-way hash function, a technical approach that is particularly useful for comparing population-level data sets without unnecessarily exposing patient data.
  • Urge HHS not to add the “limited data set” to the list of the technologies and methodologies because that approach does not employ the technical levels of protection achieved through encryption and one-way hashing.
  • Ask HHS to emphasize that the technologies and methodologies are in addition to the existing requirement to use the minimum amount of data necessary to accomplish a particular purpose.
  • Recommend that HHS carefully examine unintended and possibly negative consequences of creating an exclusion based on biometric approaches to safeguarding devices that contain personal health information.
  • Recommend careful study of the existing “de-identification” standard under the Health Insurance Portability and Accountability Act medical privacy rule, and consider whether data currently defined as “de-identified” should remain outside of HIPAA, including with respect to breach notification.
  • Urge HHS to expressly commit to annually reviewing the data breach guidance and set forth a process for doing so.
  • Recommend HHS use threat profiles as part of this annual review to evaluate the potential of policies, technologies, and methodologies to protect and secure personal health information.

Download the comments (pdf)

Read more on implementing health IT from CAP:

A Historic Opportunity: Wedding Health Information Technology to Care Delivery Innovation and Provider Payment Reform