Health Data Not Covered in Breach Legislation
PRIVACY LAW—U.S.August 5, 2011
The Center for Democracy and Technology's Harley Geiger writes that the data breach notification bills currently in congress would not protect health data processed by certain commercial services. The HIPAA Privacy Rule requires covered entities to notify individuals when their data is compromised, but with the influx of commercial health IT systems and applications, sensitive health data is increasingly being used by commercial products and services. As a result, neither current data breach draft legislation nor the Privacy Rule would require non-covered entities processing health data to notify individuals of a breach, which "makes it all the more important that the law evolves with technology to provide blanket privacy protection for health information in commercial contexts," the report states.