Breach Notification Gap Addressed
One Senate Bill Would Protect More Healthcare InformationOnly one of three national breach notification bills that won approval in the Senate Judiciary Committee last week would address a gap in protections for healthcare information, says Harley Geiger, policy counsel for the Center for Democracy & Technology, in a new blog.
Earlier, Geiger pointed out in another blog that all the pending national breach notification bills would exempt HIPAA covered entities - those healthcare organizations that must already comply with the HIPAA breach notification rule mandated under the HITECH Act.
But a bill from Sen. Richard Blumenthal, D-Conn., was modified last week to include health information in its definition of "sensitive personally identifiable information," Geiger notes. So while the bill still exempts HIPAA covered-entities from the new national guidelines, it would cover those organizations not covered by HIPAA - such as those offering mobile health applications and social networking sites devoted to medical conditions - that handle sensitive patient information.
"Blumenthal deserves considerable credit for being forward-looking and correcting this gap in consumer privacy protection," Geiger writes in his latest blog. The Blumenthal bill also would give the Federal Trade Commission the authority to modify the definition of sensitive personally identifiable information to keep pace with technology changes, he points out.
Filling the Gap
As we noted in an earlier blog, Geiger argues that breach notification requirements for health information held by companies not covered by HIPAA "are weak and unclear." That's why he wants any new national breach notification law to help fill this gap. And we strongly agree.A bill from Judiciary Committee chairman, Sen. Patrick Leahy, D-Vt., "presumably is the most likely to see action on the Senate floor," Geiger speculates. A third bill, from Sen. Dianne Feinstein, D-Calif., also made it through the committee.
If the Leahy or Feinstein bills were enacted, Geiger notes, "it would likely take a further act of Congress to bring health information under the law." That means the gap would be "difficult to address," he says, given that efforts to pass a national breach notification law in any form have been percolating in Congress since 2005.
"Congress has considered data breach legislation several times before, so the chances that any of the current bills will be enacted are unclear," Geiger observes. "CDT is glad Congress is focused on these issues, but wants the legislation to be sufficiently protective to represent real progress over current state data breach laws and sufficiently flexible to remain relevant in future years."