Henry Waxman sent a letter to Secretary of Health and Human Services Kathleen Sebelius outlining Congressional disagreement with the standard HHS had proposed for breach notification without "harm" to the individual. Waxman, joined by other members of the Committee on Energy and Commerce, along with Pete Stark, stated that
"Section 13402 of ARRA requires health care entities to notify individuals if there is an "unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." In its interim final rule, HHS interpreted the term "compromises" to include a substantial harm standard. If the breaching entity decides there is no significant risk of financial, reputational or other harm to the individual, that provider or health insurer never has to notify their patients that their sensitive health information was used or disclosed in violation of the federal privacy rule. ARRA's statutory language does not imply a harm standard."
Waxman concludes that Congress expressly rejected a harm standard in its drafting of the legislation and that HITECH/ARRA implemented a "black and white standard" for breach notification, without leaving it to healthcare providers to determine if "harm" has or will occur.
0 comments:
Post a Comment