Could the President’s Data Breach Proposal Affect Health Care?

Sony.  Target.  Home Depot.  Community Health.  Data breaches have Americans scared.  The Identity Theft Resource Center (ITRC) reported 783 data breaches in 2014, an increase of 27.5 percent as compared to 2013; 42 percent of those breaches occurred in the Medical/Health Care industry.  On January 12, 2015, President Obama announced a legislative proposal he referred to as the Personal Data Notification & Protection Act.  The Act would create a single national standard that companies would follow to notify consumers within 30 days of a breach.  The President is expected to expand upon this proposal in his upcoming State of the Union speech.

Health Care Breaches

Health care providers’ breach notification duties are governed by the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Omnibus final rule (78 FR 5566).  The rule requires covered entities (CEs)–health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain transactions–and their business associates (BAs) to notify individuals of breaches within 60 days of discovery, unless the CEs and BAs demonstrate a low probability that protected health information (PHI) was compromised.  The entities do so by performing a risk assessment to determine the probability of compromise, including the nature and extent of the PHI involved, the unauthorized person or person who used the PHI or to whom the disclosure was made, whether the PHI actually was acquired or viewed, and the extent to which the risk to the PHI has been mitigated.

Covered Entities and BAs must also notify the HHS Secretary annually of breaches involving fewer than 500 individuals; for breaches involving 500 individuals or more, they must notify HHS at the same time that they make individual notification and must also notify the media. The HHS Office of Civil Rights (OCR) lists breaches affecting 500 individuals or more on its website.  The website reflects 165 such breaches in 2014, categorized as theft, unauthorized access/disclosure, loss, hacking/information technology (IT) incident, or improper disposal groups or placed into a sixth catchall category.  The largest breach, which involved data for an astounding 4.5 million individuals, resulted from theft of data from a network server.

Proposed Legislation

It is unclear to what extent the proposed legislation would affect the health care industry, although it is possible that the law would trump Omnibus notification requirements. The states have their own, disparate data breach requirements.  For example, many states differ as to their definitions of personal information, whether they require risk of harm analyses, and when notification must occur.  California has a law specific to medical data breaches. Baker Hostetler has compiled charts describing differences among state disclosure laws.  The President proposed the legislation along with other measures to detect identity theft and protect student privacy.  What Congress chooses to do with these suggestions remains to be seen.