They ain’t publicizing it, but it’s there: A harm threshold in the Interim Final Rule published yesterday (Sept. 23, 2009) by the Department of Health and Human Services (HHS) that lets covered entities avoid ever admitting to a private health information (PHI) breach.
The secret? Just encrypt the data. As the Interim Final Rule says, it wants to save the public from being “flooded with notifications for breaches that pose no threat."
So if a covered entity–a health care provider, insurer and the like–converts to electronic records and encrypts them, and some hacker steals five zillion records and then unencrypts them, nothing need be reported or done.
For a little background, one’s personal health information is protected from disclosure under the provisions of the Health Insurance Portability and Accountability Act (HIPAA). Provisions regarding HIPAA security included in the recent American Recovery and Reinvestment Act (ARRA) imposed breach reporting requirements and penalties for breaches and ordered HHS to implement these in a Final Rule.
ARRA, however, made no mention that encryption would be a safe harbor so that breaches need not be reported to those affected. HHS threw that in.
“The key problem is, those who breach your information are the ones who get to decide if you are harmed or not,” Deborah Peel, founder and chairwoman of the nonprofit Patient Privacy Rights, told SCMagazineUS.com the day before the interim rule was published.
“It’s shocking to see that the federal agency charged with protecting the public [HHS] is instead protecting private corporations against the embarrassment and bad press that would occur if they aren’t protecting our health records,” Peel added.
The Interim Final Rule also gives great leeway, as Peel indicates, for the covered entity to determine the level of risk that’s involved. The rule even says a lost of stolen laptop containing PHI that’s found or returned need not necessarily be reported if it’s determined the data wasn’t tampered with.
However, I don’t know about you folk, but when I go to the doctor, everything is written down and stored in a file cabinet. Are they going to be able to claim that was encrypted?