You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

Agency Reconsiders Medical Breach Notification Rule

The Department of Health and Human Services has withdrawn its previously issued interim medical privacy rule after facing substantial criticism from privacy advocates. The old rules required that health-care providers and insurers report privacy breaches to patients only if the provider or insurer felt that there was a "significant risk" of harm. Privacy advocates criticized this language on the basis that it granted too much discretion to the firms responsible for safeguarding patient data. In previous comments to the FTC, EPIC recommended that notification of health data breaches be enhanced, that additional breach notification through means such as text messages and social networking sites be developed, and that companies obtain verification of receipt of notifications. EPIC has also testified in Congress that the "significant harm" standard, favored by the HHS for breach notification, is unfair to consumers. For more information, see EPIC: Medical Record Privacy.

« "Medical Privacy" | Main | EPIC Presses for Release of Government Documents on Health Risks of Airport Body Scanners »

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security