Health Breach Notification Rulemaking #541358-00006

Submission Number:
Steve Paterson
Private citizen
Initiative Name:
Health Breach Notification Rulemaking
It is clear to me that public distrust over the way their personal information is handled by those responsible for health care delivery represents the biggest barrier to the advancement of health information technology. A large part of the problem is the lack of public knowledge concerning this issue. A serious public awareness campaign concerning privacy regulations should be the first order of business by the FTC. A recent announcements by Microsoft and Google that HIPPA regulations do not apply to their business model has only served to exacerbate this problem. My second recommendation is to get VERY serious about limiting where identifiable data can be stored. Even within the care giving setting. The ease and frequency of computer theft is a deal breaker in the court of public opinion. For most people, data encryption is not a sufficient safeguard. In a recent incident, a laptop with 14,380 identifiable patient records was stolen from a contractor working for Moses Cone Health System. A spokes person for MCHS stated that "the data was in a format the average criminal could not access". Their response was to re engineer the delivery process using a VPN. Their attitude and response strike me as cavalier. The proper response should have been to deliver only de-identified data to their contractor. There is no legitimate reason, in this case, for the contractor to have identifiable patient information. Only the patient's care givers and plan manager should have a legitimate need to contact the patient directly and even then it should on an opt-in basis, NO exceptions. Any other entity should have the signed consent of the patient to store, manage and use their personal identifiable data. When consent is given to a 3rd party, there should be clear limits stated and the message should be limited to 50 words. It is most likely that MCHS exposed their patient's personal information because they were too lazy to de-duplicate the patient records themselves. Instead they pushed the task down to their contractor. This is totally unnecessary and should be stopped. Thank you for considering my opinion. PS. From what I have read, this issue appears to been resolved in Canada. There is probably something to learn from their experience.