Health Breach Notification Rulemaking
Quintiles appreciates that the FTC issued this proposed Health Breach Notification Rule for comment. We note that the currently accepted best practice standard for breach reporting is that the entity knows or should have known that a breach has compromised the security or privacy of information. Instead, the proposed rule places the burden of proof on the entity to show that unauthorized access could not have resulted in acquisition. If a third party provider accesses or uses only indirectly identifiable health information, the identification of individuals for breach notification may be practically impossible. Indeed, such a re-identification process, undertaken solely for the purpose of sending breach notices, would be costly and burdensome and disproportionate with the risk. Also, online entities may communicate with registrants only by electronic mail. Nevertheless, as per the proposed rule, they may be expected to contact the existing registrants, asking them (1) whether the entity can send them an email if there is a breach of information security or (2) whether they wish notification by first class mail. Many registrants simply may ignore the e-mail. Others may choose to be notified by first class mail so that they would have to provide their name and address to the entity. This would pose a new and greater risk to the consumers personal data and increase the liability for the entity. The proposed rule requires notifications to the consumer regardless of the level of risk involved. This may be confusing to the consumer and cause them to be inured to these notices. For the benefit of both the consumer and those subject to this proposed rule, we urge that the FTC take a practical approach to health breach notification to the extent permitted in the American Recovery and Reinvestment Act. Quintiles' detailed comments are attached.