CP5

Purpose

Secure and confidential data handling is a core responsibility for any Consumer Access Service. Part of this responsibility includes developing an advance plan on what the Consumer Access Service will do if something goes wrong. There have been many highly publicized inadvertent disclosures of sensitive personal data.

Our review of leading PHRs revealed a widespread lack of policy statements about responsibilities and actions that the company will take in the event of a breach or misuse of personal health information. (See Appendix A of CP2: Policy Notice to Consumers)

California is the leader among several states that have enacted laws requiring companies to notify affected consumers when sensitive, personally identifiable data are disclosed into unauthorized hands, but such requirements are not yet universal.¹  Notification regarding health data breaches is controversial and subject to debate. Open questions include, for instance, what constitutes a breach? What types of data are at issue? What constitutes notice?

We recommend that Consumer Access Services develop policies for breach or misuse of information. Such policies should be posted as part of the part of the publicly available notice of privacy and security policies. (See CP2: Policy Notice to Consumers.) Notwithstanding the lack of guidance or industry acceptance, Consumer Access Service policies should notify users of what the service believes to be a significant breach, how it will notify users when a breach occurs, and what recourse the user has in the event of a breach.

Recommended Practice

A Consumer Access Service should notify individually any user whose personal information was, or is reasonably believed to have been, disclosed or acquired by an unauthorized person or party in a form that carries significant risk of compromising the security, confidentiality, or integrity of personal information.

The notification should be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Notification practices should be consistent with state-of-the-art security standards and should be "risk-based" – tailored to the potential risk to the consumer and the size, complexity, and nature of the Consumer Access Service's operations. A current "best practice" for notification is described by the California Department of Consumer Affairs.² 

__________

1. The Privacy Commissioner of Canada has a helpful resource, Overview of American Breach Notification Laws. February 22, 2007. Accessed online on August 22, 2007, at the following URL: http://www.privcom.gc.ca/parl/2007/sub_070222_06_e.asp.
2. California Department of Consumer Affairs, Recommended Practices on Notice of Security Breach Involving Personal Information. February 2007. Accessed online on September 6, 2007, at the following URL: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Documents/PrivacyProtection.pdf.