In late August, the Dept. of Health and Human Services (HHS) released an interim final rule on health data breach notification. Through the rule, HHS establishes data security standards that HHS believes are strong enough to eliminate the need to notify consumers of a data breach. That is, if a health care entity applies one of these security processes to its data, and then that data is lost or otherwise breached, the entity does not have to inform patients. Some of the rule's security processes are quite good, such as strong encryption standards. Unfortunately, however, HHS packed an overly broad and unreliable standard in with the good ones: the "harm standard."
(CDT had issued comments to the HHS rulemaking in May 09. For more information about the interim final rule and CDT's comments, please see our earlier blog post.)
Read more »