Healthcare providers said they should only be required to disclose data breaches when they've determined that patients were likely harmed by the breaches. The providers defended a controversial "harm threshold" standard proposed by the U.S. Department of Health and Human services.
HHS' "harm threshold" standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responses, according to providers who work with privacy and security.
At the 18th annual National HIPAA Summit Friday, Judi Hofman, CAP, CHP, CHSS, privacy/information security officer for Cascade Healthcare Community at St. Charles Medical Center in Bend, OR, and Debbie Mikels, corporate manager, confidentiality for Partners Healthcare System in Boston, said the provision published August 24 in the Federal Register gives covered entities the power to prevent unnecessary notifications.
"If you flood your patients with huge concerns, you're going to open up a floodgate of problems in your organization where you really may not have had a risk to start with," Hofman said.
The interim rule says that, in the event of a data breach, providers need to ask themselves who received the compromised information, whether it can cause "significant risk of financial, reputational, or other harm to the individual," and whether mitigation is possible -- for example, whether it can be determined if a stolen laptop computer's data was not accessed.
While healthcare providers say the "harm threshold" is reasonable, some Congressmen disagree. They're "deeply concerned" that the provision would give covered entities and business associates a "breadth of discretion." Congress explicitly rejected a harm standard when it wrote U.S. American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher Health Insurance Portability and Accountability Act (HIPAA) enforcement and breach notification requirements.
Critics of the harm threshold say it gives healthcare providers the freedom to avoid informing patients of any data breaches.
You don't have to worry about data breaches if you don't have one. Palisade's PacketSure™ Data Loss Prevention appliance can help secure confidential data on the network. View a video demo, or get a live demo, or get a free Secure Assessment.
In other data loss prevention news:
German tax dodgers running scared after data breach
The Heartland Data Breach Fight Continues
Number of victims grows for BlueCross data breach
What Do DLP and Condoms Have in Common?