I would propose that while the re-identification risks associated with a breach can be reasonably characterized by statistical disclosure experts, the possible extent of harm associated with such re-identification risks could not possibly be determined by the parties responsible for risk assessments to be performed in response to a breach. As suggested by Congressmen Waxman, Rangel, Dingell, Pallone, Stark and Barton in their recent letter to HHS Secretary Kathleen Sebelius, harm from the release of sensitive and personal health information is a personal and subjective matter, and not something which should be left to the discretion of the parties responsible for the breach.
This point is essentially acknowledged by HHS in the final interim rule by the statement on p. 42,745 of the Aug. 24 Federal Register, indicating that risk assessments should “Keep in mind that many forms of health information, not just information about sexually transmitted diseases or mental health should be considered sensitive for the purposes of the risk of reputational harm—especially in light of fears about employment discrimination.”
Because of this, I would suggest that any issues of possible extent of harm should not be included in such breach risk assessments. The focus in breach risk assessment should instead be solely the measurable re-identification risks which indicate whether an individual's identifiable health information is likely to have been revealed, rather than the unknowable criteria of whether the individual would be likely to suffer any significant risk of financial, reputational or other harm. De-identified health information has already been clearly exempted from the breach notification rule. Particularly for the case with limited data sets, HHS could implement a reasonable compromise by making a shift from a harm standard to a simpler re-identification risk standard. This would protect individual privacy and would not impose onerous conditions for notification when there is not any significant risk that any personally identified health information had been revealed by a breach.
Daniel C. Barth-Jones, Ph.D.
Assistant professor of clinical epidemiologyDepartment of EpidemiologyMailman School of Public HealthColumbia University
What do you think? Submit a letter to Your Views. Please include your name, title, company and hometown. Health IT Strategist reserves the right to edit all submissions.
Also, please share your thoughts by taking our latest HITS reader poll.