The Department of Health and Human Services has withdrawn its previously issued interim medical privacy rule after facing substantial criticism from privacy advocates. The old rules required that health-care providers and insurers report privacy breaches to patients only if the provider or insurer felt that there was a "significant risk" of harm. Privacy advocates criticized this language on the basis that it granted too much discretion to the firms responsible for safeguarding patient data. In previous comments to the FTC, EPIC recommended that notification of health data breaches be enhanced, that additional breach notification through means such as text messages and social networking sites be developed, and that companies obtain verification of receipt of notifications. EPIC has also testified in Congress that the "significant harm" standard, favored by the HHS for breach notification, is unfair to consumers. For more information, see EPIC: Medical Record Privacy.
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.