Archive for March, 2009

Stimulus Package Federalizes Health Information Breach Notifications

Note: This article was originally posted on

Streamlining medical records has been a recurring theme of the Obama administration. Tucked away in the pending economic stimulus legislation, known as the American Recovery and Reinvestment Act (ARRA), is a provision which would create a breach notification requirement for health information breaches.

Starting in Subtitle D, ARRA takes an unprecedented foray into federalizing data breach notifications. Although ARRA regulates breaches of health information, this legislation will no doubt be front and center of future debates about creating a Federal Breach Notification Law.


Here is a quick analysis: ARRA mirrors most state breach notification laws, in that it requires “covered entities” (ie, Health Plans, Health Care Providers, and Health Care Clearinghouses) to notify each individual if their “unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of [a] breach.” Business Associates, or subcontractors, must alert the Health Care Provider of a breach. The statute also places additional limits on how health information can be sold and shared.
The statute dramatically broadens the ambiguous state-law concept of “data owners,” and applies to any HIPAA-covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information.”

As expected, the Federal law takes a lowest-common-denominator approach to duties. For example, although notifications must be made “without reasonable delay,” the statute allows up to 60 calendar days to comply. This is substantially longer than the longest state requirement, which requires notification within 45 days.
Each state notification law requires direct (ie mail) notification to affected individuals unless the person can’t be found, and allows “Substitute Notice” in cases of large breaches. “Substitute Notice” usually comprises posting an announcement on the organization’s website and notifying the media. Some states do not permit Substitute Notice unless the breach is extremely large (250,000+ in some cases). But ARRA allows substitute notice if the breach involves just 500 people in a single state.

The statute also reaches well beyond traditional “covered entities” to any service provider or vendor of personal health records. Presumably, this would include data warehouses like Google or Microsoft, each of which has or has announced plans to create online consumer health records warehouses. However, these vendors need only report the breach to the FTC, which will treat it as a deceptive trade practice. Individuals should not expect a letter from Google or Microsoft if their health care records are breached.

On one hand, this federal legislation will plug holes in several states statutes by regulating health information. Arizona, California, Hawaii, Michigan, Oregon, and Rhode Island, for example, regulate health care providers and insurers differently from other companies, and may even completely exempt them from notification requirements.

This bill will no doubt spur the national discussion about breach notification laws. But because they mimic existing state laws, the bill comes up short. Breach Notification Laws were a step in the right direction when California passed the first one almost seven years ago. But since that time, they have displayed several shortcomings, which I critique here. Instead of fixing these problems, ARRA will exacerbate many of them.

No Comments