Changing Expectations around Breach Notice

Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:”

According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses a “significant risk of financial, reputational or other harm to [an] individual.”

I wasn’t the only one deeply concerned by that standard. Apparently Henry Waxman and Charles Rangel have written the Secretary of Health and Human Services to explain that “This is not consistent with the Congressional intent,” and

“ARRA’s statutory language does not imply a harm standard,” the lawmakers wrote. “Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given breaching entities, particularly with regard to determining something as substantive as harm from the releases of sensitive and personal health information.”

Their letter is here. See also “Lawmakers Urge Lower Bar for Health IT Data Breach Notification.”

Five years ago, no one would have said such things. It’s nice to see how quickly the field is maturing.