Consumer groups, providers butt heads on 'harm standard' for breach notification

Consumer groups and provider representatives are lining up on opposite sides of the debate over whether HHS should soften its standard for notifying patients about privacy breaches. Privacy advocates--including the Patient Privacy Rights Foundation, Consumers Union and the Center for Democracy and Technology--want HHS Secretary Kathleen Sebelius to revise an interim final rule about HIPAA breach notification to drop a requirement that an unauthorized disclosure of electronic patient data cause actual harm before a covered entity must report a breach.

However, provider groups including the American Hospital Association, the Medical Group Management Association and the American Association of Medical Colleges have come out in favor of what's being called the "harm standard," arguing that any changes would saddle them with an onerous reporting burden.

HHS must reconcile its rule with a related but conflicting one issued by the Federal Trade Commission. "Because health information is so sensitive, the Commission believes the standard for notification must give companies the appropriate incentive to implement policies to safeguard such high-sensitive information," the rule states. The FTC, quoting the Coalition for Patient Privacy, said that, unlike with financial data, health information leaks cannot be repaired. "A stigmatizing diagnosis, condition or prescription in the wrong hands can cause irreversible damage and discrimination," the commission noted.

To learn more about breach notification:
- take a look at this Inside CMS story, via Consumer Watchdog

Related Articles:
U.S. law now requires data breach warnings
Privacy advocates slam HIPAA breach notification rules