Clarity Needed in Breach Notification RuleGray Areas Need to be Eliminated
I hope the final version states in the simplest possible terms that the federal law supersedes state laws, unless the state laws have tougher requirements.
And I also hope the so-called "harm standard" in the interim final version of the rule bites the dust. Several members of Congress, and some privacy advocates, already have called for its demise.
Write the rule in clear enough language that an organization doesn't need to hire a lawyer to decipher it.
The harm standard provision allows healthcare organizations and their business associates to conduct a risk assessment to determine whether a particular data security breach presents "significant risk" and thus needs to be reported to those affected.
The provision creates gray area in the law. It needs to be replaced by clear-cut, black-and-white guidance on what must be reported.
Regulators need to make it easier for an organization to figure out how to comply with the rule. Spell out when a breach needs to be reported. Spell out when federal regulations prevail over state regulations. Remove any room for interpretation. Write the rule in clear enough language that an organization doesn't need to hire a lawyer to decipher it.
The Department of Health and Human Services recently acknowledged that it had withdrawn its proposed final rule from administrative review by the Office of Management and Budget, the last step before a regulation becomes official.
HHS said it was making the move "to allow for further consideration, given the department's experience to date in administering the regulations." Let's hope that's code for "We know the interim final rule leaves too much room for interpretation, and we're going to make the final version more iron-clad."
A recent breach incident illustrates the need for clarity in the federal breach rule.
South Shore Hospital in South Weymouth, Mass., decided it didn't have to notify the 800,000 individuals who may have been affected by the loss of two boxes of backup tapes, citing a state law (Massachusetts General Law Chapter 93H).
The law allows organizations to forgo notifying individuals about a breach: "If the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice."
But that law sure sounds like it's in direct conflict with the interim final version of the federal breach notification rule, which requires that breaches affecting 500 or more individuals must be reported to federal authorities, as well as all the individuals affected, within 60 days.
Plus, the federal rule pre-empts "contrary state law." It says a state law is contrary if "a covered entity could find it impossible to comply with both the state and federal requirements or if the state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of the breach notification provisions in the (HITECH) Act."
The Massachusetts Attorney General has objected to South Shore's notification strategy and has called for notification of each of the individuals potentially affected. Sounds to me like the attorney general thinks the federal rule requires such notification in this case and it supersedes the state law.
In its statement, South Shore Hospital also implied that because its investigation of the breach incident revealed that the risk of someone accessing and using the missing tapes for fraudulent purposes was so low, the need for personal notification was diminished. Sounds like the hospital is invoking that federal "harm standard" doesn't it?
In the meantime, the Department of Health and Human Services' Office for Civil Rights, which enforces the federal breach rule, won't comment on the South Shore incident because it's an "open investigation." It will be interesting to watch whether the state, the feds, or both ultimately compel the hospital to mail letters to 800,000.