Snowe Amendment to the Wired Act

1. Snowe Amendment to the Wired Act William F. Pewen, Ph.D., M.P.H. Office of Senator Olympia J. Snowe, ME Bill_Pewen@snowe.senate.gov (202)224-5344

3. Privacy / Data Security 2008 • Actual implementation experience • Breaches – both intentional and unintentional. ATM analogy • Estimated 6.9 million affected in 2007 – 42 million in past 4 years • Final privacy rule and consent • Health professionals, payers, “health care operations” • No penalties imposed despite complaints • 67% of Americans “somewhat” or “very concerned” about the privacy of their records – higher in those with chronic conditions (health coverage issue) • 52% of Americans concerned that insurance claims would be used to deny them employment • 1 in 8 have engaged in behaviors placing their health at risk: avoiding treatment, seeing a different practitioner, paying cash. • 600,000 Americans miss timely cancer diagnosis; 2 million avoid mental health treatment PHI Privacy NetNational Consumer Health Privacy Survey 2005HHS

4. HIMSS Security Report • The actual number and extent of data breaches is higher than reported. Data forensics conducted after a breach usually reveal greater scope and severity than initially expected (Pg 23) • Breaches typically involve disclosure of critical data including name, mailing address, diagnosis, and other clinical data (Pg 19). • There is an absence of concern regarding electronic media such as media, laptops, and internet access (Pg 18). • Paper records are not the greatest threat. Most reported breaches involved electronic records. This notable despite the fact that adoption of Health IT is still far from complete (Pg 21) • Only 56 percent of breaches resulted in patient notification (Pg 4) and respondents indicated that only 10 percent intended to inform patients of such an event (Pg 17) • Breach action plans were lacking in focus on proactive risk mitigation (Pg 16) 2008 HIMSS Analytics Report: Security of Patient Data – April 2008

5. Privacy Protection Models • Data access • Requires physical security • Does not require complete knowledge of abuses • Limits data use for other applications - issue of consent • Prohibition of acts • Requires knowledge of potential harms • Legislative process and the time to navigate – GINA example • Creative workarounds – surrogate data

6. Snowe Amendment Provisions • Improve representation of patients’ interests by increasing the number of consumer representatives on the Policy Board from 1 to 3 (out of 18 members) • Prohibit the use of “piggybacking” of consent on the HIPAA notice. See “Declaration of Helsinki” • Provide a data breach notification

7. Data Breach Provision • Provides one year for the HHS Secretary to conduct rule making on the trigger, methods and procedure for notification regarding data breaches. Ensures that when an unauthorized individual may reasonably be expected to have acquired representation of a patient’s protected health information, such must be considered a breach. • Requires reporting of breaches of protected health information affecting 100 or more individuals to the HHS Secretary with 60 days of discovery. • Provides summary reporting of the number and extent of such breaches on a publicly-accessible website. • Provides for HHS approval of data security measures such as encryption. • Requires that a covered entity which discovers a breach of protected health information – and which has not employed an HHS-approved technology to make data unreadable by unauthorized individuals – inform individuals affected by such a breach within 60 days. • Provides for mandatory penalties for a covered entity which fails to provide required notification. Entities would be fined $500 per individual affected, with an aggregate limit of $250,000 per incident.