Health Freedom Watch
FTC Asks for Public Comment on Notification of Health Data Breaches
The Federal Trade Commission (FTC) is requesting public comment—by June 1, 2009—on a rule to require vendors of electronic personal health records (PHRs) to notify the agency and affected individuals if unsecured health data are breached. This rule is required by the American Recovery and Reinvestment Act (ARRA), under the section titled “Improved Privacy Provisions and Security Provisions.” It will provide breach-notification rights until Congress passes legislation ensuring such rights.
Data breaches are a significant problem in this country. Since January 2005, the U.S. has experienced more than 261 million data breaches. Moreover, it is estimated that 12 percent of data breaches occurred with medical organizations.
Several definitions in the proposed rule are noteworthy:
- “Breach of Security means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information.” [Emphasis added.]
- “Unsecured means PHR identifiable information that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under…the American Reinvestment and Recovery Act of 2009. If such guidance is not issued by the date specified…the term ‘unsecured’ shall mean not secured by a technology standard that renders PHR identifiable health information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.” [Emphasis added.]
- “Personal health record means an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” [Emphasis added.]
Breach notifications are not required for secured health data. The rule also does not apply to electronic health records (EHRs), which are controlled by providers (whereas PHRs are controlled primarily by consumers). Separate forthcoming federal regulations will cover breaches of unsecured EHRs.
Issues to Consider in Comments to FTC
Privacy advocates should consider the following points in submitting comments to the FTC:
- Why are not all PHRs being secured? Do consumers have a choice as to whether they want to use secured or unsecured PHRs? Does anyone really want their PHRs unsecured?
- Should not Americans be notified about breaches of secured PHRs in addition to breaches of unsecured data? If so, the FTC should encourage Congress and the White House to amend the ARRA to offer greater consumer protections regarding Americans’ personal health information.
- A 2005 national survey on data security breach notification found that:
- More than 1 out of 10 adult Americans (11.6 percent) reported receiving notification of a security breach during a one-year period.
- About 86 percent of breaches were related to the loss or theft of customer/consumer information.
- About 14 percent of breaches involved employee, student, medical, and taxpayer data. See the “National Survey on Data Security Breach Notification”: http://www.whitecase.com/news/detail.aspx?news=670
- Additionally, Open Security Foundation and DataLossDB.org reports that 12 percent of data breaches involved medical organizations: http://datalossdb.org
- 44 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information, according to the National Conference of State Legislatures (http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm). How would the proposed federal rule affect consumers’ rights under existing or future state laws?
- The bottom line is that health data are personal, and individuals should be informed about breaches—regardless of whether the data was secured or unsecured.
To file a public comment by June 1, click on the following link: https://secure.commentworks.com/ftc-healthbreachnotification and follow the instructions.
Source: “FTC Publishes Proposed Breach Notification Rule for Electronic Health Information,” Federal Trade Commission, April 16, 2009:.
[Back to Contents]
Health-Insurance Mandate Could Lead to National ID and Loss of Privacy
By Sue A. Blevins
Americans’ privacy depends critically on whether Congress mandates insurance for individuals. Mandatory coverage is under serious consideration and deserves the thoughtful attention of every citizen. From a health-freedom advocate’s perspective, an individual mandate poses serious threats to privacy. Here’s why: Once government has the legal authority to compel individuals to buy health insurance, it will have an incentive to assign them ID numbers with which to monitor compliance with the program.
Consider this combination: Health-insurance mandate + ID number + electronic health records + HIPAA privacy rule (which permits disclosure without patient consent in many instances) = a nationally linked electronic system and loss of health privacy for all!
The bottom line is that many health-related and legal entities (insurers, lawyers, marketing companies, researchers, etc.) want unfettered access to individuals’ health information for a variety of reasons. A mandate for health insurance could make it easier for these entities to have it. Is it any wonder that the health-insurance industry is pushing for an individual mandate?
Rather than supporting a policy that guarantees a particular industry a mandatory group of buyers, we should be encouraging competition to help lower health-care costs and protect privacy. As it now stands, some insurers are responding to consumers’ requests to keep their records offline. However, if we end up with a mandate, insurers will have less incentive to respond to consumers’ requests, as everyone will be forced to buy their product regardless of their privacy policies. Sure, people can petition the government and work through the political process to get insurers to meet consumer demands. But exercising one’s freedom of association is much better than a mandate followed by a petition to Congress.
For most people, health care is a private matter. In a free country we should have the right to privacy and freedom of choice, including the choice of what type of health insurance to carry and whether or not we want electronic health records.
Sue A. Blevins is founder and president of the Institute for Health Freedom.
[Back to Contents]
A Not So Happy Anniversary for the “Massachusetts Model”
By Michael D. Tanner
Three years ago [on April 12, 2006], then-Governor Mitt Romney signed into law the most far reaching state health care reform plan to date. At the time, we warned that the plan, with its individual and employer mandates, new regulatory bureaucracy (the Connector), and middle-class subsidies would result in “a slow but steady spiral downward toward a government-run health care system.” Sadly, three years later, those predictions appear to be coming true.
- While the state has reduced the number of residents without health insurance, some 200,000 people remain uninsured. Moreover, the increase in the number of insured is primarily due to the state’s generous subsidies, not the celebrated individual mandate.
- Health care costs continue to rise much faster than nationally. Since the program became law, total state health care spending has increased by 23 percent. Insurance premiums have been increasing by 10-12 percent per year, nearly double the national average.
- New regulation and bureaucracy is limiting consumer choice and adding to costs.
- Program costs have skyrocketed. Despite tax increases, the program faces huge deficits in the future. As a result, the state is considering caps on insurance premiums, cuts in reimbursements to providers, and even the possibility of a “global budget” on health care spending.
- A shortage of providers, combined with increased demand, is increasing waiting times to see a physician, especially primary care providers.
With the “Massachusetts model” being frequently cited as a blueprint for state or national health care reform, it is important to recognize that giving the government greater control over our health care system will have grave consequences for taxpayers, providers, and health care consumers. That is the lesson of the Massachusetts model.
Michael Tanner is a senior fellow at the Cato Institute.
Source: “A Not So Happy Anniversary for the ‘Massachusetts Model,’” Michael D. Tanner, Cato Institute, April 13, 2009.
[Back to Contents]
Health Freedom Watch is published by the Insitute for Health Freedom. Editor: Sue Blevins; Assistant Editor: Deborah Grady. Copyright 2009 Institute for Health Freedom.