CP5: Notification of Misuse or Breach
Purpose: Secure and confidential data handling is a core responsibility for any Consumer Access Service. Part of this responsibility includes developing an advance plan on what the Consumer Access Service will do if something goes wrong. There have been many highly publicized inadvertent disclosures of sensitive personal data.
Our review of leading PHRs revealed a widespread lack of policy statements about responsibilities and actions that the company will take in the event of a breach or misuse of personal health information. (See Appendix A of CP2: Policy Notice to Consumers)
California is the leader among several states that have enacted laws requiring companies to notify affected consumers when sensitive, personally identifiable data are disclosed into unauthorized hands, but such requirements are not yet universal. Notification regarding health data breaches is controversial and subject to debate. Open questions include, for instance, what constitutes a breach? What types of data are at issue? What constitutes notice?
We recommend that Consumer Access Services develop policies for breach or misuse of information. Such policies should be posted as part of the part of the publicly available notice of privacy and security policies. (See CP2: Policy Notice to Consumers.) Notwithstanding the lack of guidance or industry acceptance, Consumer Access Service policies should notify users of what the service believes to be a significant breach, how it will notify users when a breach occurs, and what recourse the user has in the event of a breach.
Recommended Practice:
A Consumer Access Service should notify individually any user whose personal information was, or is reasonably believed to have been, disclosed or acquired by an unauthorized person or party in a form that carries significant risk of compromising the security, confidentiality, or integrity of personal information.
The notification should be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Notification practices should be consistent with state-of-the-art security standards and should be "risk-based" – tailored to the potential risk to the consumer and the size, complexity, and nature of the Consumer Access Service's operations. A current "best practice" for notification is described by the California Department of Consumer Affairs.
Connecting for Health thanks Josh Lemieux, Markle Foundation, for drafting this paper.
©2008, Markle Foundation
This work was originally published as part of a compendium called
The Connecting for Health Common Framework for Networked Personal Health Information and is made available subject to the terms of a license (License) which may be viewed in its entirety at:
http://www.connectingforhealth.org/license.html. You may make copies of this work; however, by copying or exercising any other rights to the work, you accept and agree to be bound by the terms of the License. All copies of this work must reproduce this copyright information and notice.
