Congress Seeks Repeal of HHS Breach Rule

Members of the House Committee on Energy and Commerce are concerned that the data breach notification provision included in the HITECH Act may have been undermined by a Health and Human Services rule, known as the "harm threshold," which gives breached companies leeway in deciding whether notice may be required. In a letter to HHS Secretary Kathleen Sebelius, committee chair Rep. Henry Waxman (D-CA) and other members of the committee urged the secretary to revise or repeal the provision, published in late September. Privacy watchdogs claim the HHS rule was drafted under pressure from the healthcare industry to eliminate possible financial repercussions stemming from a health information data breach.Full Story

I was heartened to see this news item. As I have said before harm thresholds give too much discretionary power to the breached entity in determining who and if to notify of a breach of NPI. The point of notification laws is twofold. To put teeth in the data protection legislation so that private and public enterprises will take heed, and also to give potential victims the advantage of an early warning when a breach does occur giving them the opportunity to respond and protect themselves.

While there needs to be a modicum of discretion on the part of investigators of data breaches to not reveal information that might compromise the discovery of evidence, it is the responsibility of the company or agency to make certain the victims are aware of the breach(es).

No business can really afford the fallout from a data breach, both in public confidence and the direct financial losses and fines. A proactive approach to information protection is essential including the identity theft awareness training of all staff regardless of job title.