Health Breach Notification Rulemaking #541358-00102

Submission Number:
Bill Pankey
Tunitas Group
Initiative Name:
Health Breach Notification Rulemaking
The proposed rule may exacerbate injury to the consumer as it does not fully take into account the consequences of breach notification. Presumably, upon receipt of a breach notice, the consumer will undertake some action to correct the consequences of the potential privacy violation and to avoid reoccurrence of similar violations in the future. However, since the impact of violations of health information privacy are highly idiosyncratic, its is likely that the PHR provider will be unable to provide effective guidance to lessen that impact. The breach itself then may only leave the consumer in an anxious state and unable to take action to recovery the lost privacy. Furthermore, the consumer may view the PHR provider as an unworthy custodian of health information privacy and then censor further additions to the consumer's health record. This injures the consumer to the degree that it provides an incomplete or inaccurate record to care givers. The above assertions are demonstrable fact as illustrated by the notorious 2006 theft from the VA of a laptop containing personal health information of some 26.5M soldiers and veterans. Once the laptop was recovered, forensic analysis of the laptop confirmed that no personal information was acquired by unauthorized persons. Thus, any harm due the incident, was necessarily the result of the wide publication of the breach through press and the VA notice to the subjects of the affected information. In January 2009, the VA did settle class action suits arising from this incident and agreed to compensate individuals who suffered the effects of 'emotional distress' caused by the incident. It is a simple fact that, were there no reporting of the incident, members of the affected class would have been spared some $20M of emotional distress and inconvenience. Since there was no actual inappropriate disclosure of the information, there otherwise would have been no harm to the veterans. The proposed rule, most likely, increases the likelihood of such harmful notification. This commenter appreciates that the rule allows for a rebuttal to the presumption that 'access => acquisition". However, giving the timing requirements for breach notification, the opportunity to rebut the presumption may be illusory. For example in the above case, it would not have allowed the VA to avoid making breach notice to soldiers and veterans. This commenter suggests that customer interests are supported by allowing greater discretion on the part of the PHR provider to determine the necessity of breach notice and that the test should not that there is evidence that the information could not reasonably have been acquired to one that there is evidence that the information would have been acquired. The latter test should take in account the circumstances of the incident through which unauthorized parties gained access to the information.