The Security Scrutinizer with Howard Anderson

Breach Notification Gap Addressed

One Senate Bill Would Protect More Healthcare Information

Only one of three national breach notification bills that won approval in the Senate Judiciary Committee last week would address a gap in protections for healthcare information, says Harley Geiger, policy counsel for the Center for Democracy & Technology, in a new blog.

Earlier, Geiger pointed out in another blog that all the pending national breach notification bills would exempt HIPAA covered entities - those healthcare organizations that must already comply with the HIPAA breach notification rule mandated under the HITECH Act.

But a bill from Sen. Richard Blumenthal, D-Conn., was modified last week to include health information in its definition of "sensitive personally identifiable information," Geiger notes. So while the bill still exempts HIPAA covered-entities from the new national guidelines, it would cover those organizations not covered by HIPAA - such as those offering mobile health applications and social networking sites devoted to medical conditions - that handle sensitive patient information.

"Blumenthal deserves considerable credit for being forward-looking and correcting this gap in consumer privacy protection," Geiger writes in his latest blog. The Blumenthal bill also would give the Federal Trade Commission the authority to modify the definition of sensitive personally identifiable information to keep pace with technology changes, he points out.

Filling the Gap

As we noted in an earlier blog, Geiger argues that breach notification requirements for health information held by companies not covered by HIPAA "are weak and unclear." That's why he wants any new national breach notification law to help fill this gap. And we strongly agree.

A bill from Judiciary Committee chairman, Sen. Patrick Leahy, D-Vt., "presumably is the most likely to see action on the Senate floor," Geiger speculates. A third bill, from Sen. Dianne Feinstein, D-Calif., also made it through the committee.

If the Leahy or Feinstein bills were enacted, Geiger notes, "it would likely take a further act of Congress to bring health information under the law." That means the gap would be "difficult to address," he says, given that efforts to pass a national breach notification law in any form have been percolating in Congress since 2005.

"Congress has considered data breach legislation several times before, so the chances that any of the current bills will be enacted are unclear," Geiger observes. "CDT is glad Congress is focused on these issues, but wants the legislation to be sufficiently protective to represent real progress over current state data breach laws and sufficiently flexible to remain relevant in future years."



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.