Collaborative Comments on Federal Health Data Breach Notification Requirements

Since 2002, the Markle Foundation’s Connecting for Health Initiative has brought together leading government, industry and health care experts to accelerate the development of a health information-sharing environment to improve the quality and cost-effectiveness of health care. The Center for Democracy and Technology, through its Health Privacy Project, promotes comprehensive privacy and security policies to protect health data as information technology is increasingly used to support the exchange of health information. The Center for American Progress has played an active role on a range of health care issues, including a greater focus recently on health IT issues. We, along with Consumers Union, Health Care For All, the National Partnership for Women & Families, Clay Shirky,¹ Jeff Jonas,² Deirdre Mulligan,³ and Peter Swire,⁴ jointly submit these comments in response to the guidance published by the Department of Health and Human Services (HHS).

Section 13402 of the American Recovery and Reinvestment Act of 2009 (ARRA)⁵ imposes a new duty on HIPAA covered entities⁶ and their business associates to notify affected individuals when there has been a breach of protected health information (PHI) that has not been secured through the use of a technology or methodology that renders the information unusable, unreadable, or indecipherable to unauthorized individuals. HHS has recently issued guidance on this issue, providing an exhaustive list of encryption and destruction technologies and methodologies that meet these criteria for the purposes of this provision.⁷

HHS has issued this guidance at a critical moment. Through ARRA, Congress and the Administration have made an unprecedented public investment in health IT to improve quality and reduce costs in the health care system. The success or failure of this endeavor will depend in no small measure on the degree to which patients and consumers, as well as health industry stakeholders, trust that health information will be protected from inappropriate use and disclosure. Building and maintaining this trust will require an ongoing commitment from policymakers and industry stakeholders to develop, implement and enforce effective privacy and security policies. Approaches to privacy and security will need to evolve as new protective technologies and threats emerge.

This guidance centers on just one component of a full set of privacy and security policies needed to foster public trust and support health IT efforts.

I. Overview of Recommendations:

First and foremost, we want to emphasize that protecting health care data requires vigilant oversight and active monitoring. Methods of securing data that work one year may fail the next, as attackers become more sophisticated and as target data sets proliferate. The privacy risks associated with breached data depend on the data analysis tools and other, related sources of data an attacker can use to access or re-identify breached information.

Consistent with this view, and as explained in more detail here, we:

• Support the strong encryption and data destruction standards currently included on the list of technologies and methodologies that render protected health information unusable, unreadable or indecipherable;
• Recommend the addition to the list of accepted technologies and methodologies a one-way hash function, which is particularly useful for comparing population level data sets without unnecessarily exposing patient data;
• Urge HHS not to add the limited data set to the list of technologies and methodologies because it does not approximate the level of protection achieved through strong cryptography;
• Ask HHS to emphasize that these technologies and methodologies do not supersede or are not a substitute for the requirement to use the minimum amount of data necessary to accomplish a particular purpose;
• Recommend that HHS carefully examine the unintended consequences of adding device access safeguards and drives protected by biometric access protocols before proceeding in this area;
• Recommend that HHS, as part of its study of the HIPAA de-identification standard,10 consider whether de-identified data should remain outside of regulation under HIPAA, including with respect to breach notification;
• Urge HHS to expressly commit to annually reviewing this guidance and set forth a process for doing so; and
• As part of this annual review, recommend HHS use threat profiles to evaluate the potential of policies, technologies and methodologies to protect and secure PHI.

———

1. Technical Lead for Markle Connecting for Health.
2. IBM Distinguished Engineer; Chief Scientist, IBM Entity Analytics.
3. Assistant Professor, UC Berkeley School of Information.
4. C. William O’Neill Professor of Law at Moritz College of Law of the Ohio State University.
5. Pub. L. 111-5, 123 Stat. 115 (2009).
6. Entities subject to the requirements of the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).
7. HHS also issued a request for information to inform the agency’s upcoming breach notification regulations on which we have submitted separate comments.