UPDATE January 12, 2013:
House of Representatives Passes Bill Requiring Additional Security Requirments on the administration of HealthCare.gov
Last week, it was reported that House Majority Leader Eric Cantor (Rep -?VA) intends to draft legislation early in 2014 that would strengthen the IT security requirements of the Obama Administration in regard to the HealthCare.gov website. With more than 2 million Americans now enrolled in health plans through HealthCare.gov, Cantor believes that a stricter set of data security requirements should apply to the determination and reporting of any breach of personal information that occurs via the website.
Currently, the “risk of harm”? standard applies to HealthCare.gov in regard to the assessment and reporting of data breaches. In the event of a potential breach, the Administration must determine whether a risk of harm exists before it is required to notify individuals that their personal information has been compromised.
There’s more than a little irony here since the “risk of harm”? standard was recently dropped in the HIPAA Omnibus Final Rule and replaced with stronger language. Initially, the Department of Health and Human Services (HHS) allowed HIPAA-covered entities to perform a risk assessment to determine if the breach created “a significant risk of financial, reputational, or other harm to an individual.”? If not, the covered entity was not required to inform individuals. In effect, “no harm, no foul.”?
But before the final rule was implemented, HHS had second thoughts, saying “we recognize that the language used in the interim final rule and preamble could be construed and implemented in manners that we had not intended.”? Thus, HHS reversed direction and now requires covered entities to presume that harm has occurred if a breach occurs unless they conduct a risk assessment and thoroughly document why they believe otherwise. HHS went on to say that their goal was to eliminate the possibility of erroneous interpretations – and that both versions always had the same intent. And indeed, the new language does have less wiggle room.
So for HealthCare.gov to then be held to the breach notification “harm standard” as opposed to starting with a “presumption of harm,”? is awkward at best. For Republicans it’s like the proverbial fox guarding the henhouse. Even Democrats have to concede that it’s at least like the “hens guarding the henhouse.”
Whether the Cantor initiative is well-played politics, a sincere interest in protecting personal health information, or a bit of both – Redspin’s just happy that more attention is being paid to guarding the eggs.