House members seek stronger health care data breach notifications
'Harm threshold' runs counter to Congress' intent, HHS told
Computerworld - The House Committee on Energy and Commerce is voicing concern over a controversial provision in a recently passed health care breach notification bill that gives health care companies considerable discretion on whether to disclose a data breach.
The so-called "harm threshold" provision was included in an interim final rule published late last month by the U.S. Department of Health and Human Services (HHS) in a bill requiring breach notification for unsecured health information. Under the provision, health-care entities would have to publicly disclose data compromises only if they think the breach will cause financial harm to those whose data was compromised or hurt their reputation.
In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the "soonest appropriate opportunity."
The letter, signed by the chairman of the committee, Rep. Henry Waxman (D-Calif.) and others, noted that the new harm threshold provision runs counter to Congress' intent in passing the breach notification bill. The bill's statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the "breadth of discretion" it would have given a breached entity, the letter said.
The health-care breach notification law is part of the $20 billion Health Information Technology for Economic and Clinical Health Act
Privacy and civil rights groups claimed that the HHS had essentially neutered the breach notification bill with its harm threshold requirement. They also accused the department of caving in to industry pressure. Groups such as Patient Privacy Rights, a watchdog group in Texas, and the Washington-based Center for Democracy and Technology said the provision completely undermined the intent of the bill and removed any incentive for breached entities to disclose a data compromise.
Read more about Privacy in Computerworld's Privacy Topic Center.
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!