A bill was introduced and passed in the House in January of 2014 entitled, “Health Exchange Security and Transparency Act of 2014,” (the bill, HR 3811, has NOT passed the Senate, gone to the President or become law.)
The bill provides that the Secretary of Health and Human Services notify individuals within two days of a data breach of ANY system maintained by a health care exchange created by the PPACA, (Obamacare).
Whether or not the bill becomes law, there is a more important question: Who cares? While we SHOULD care, the American public has not asserted itself as standing behind a right to privacy when it comes to data breaches, and the law reflects this seeming apathy.
HR 3811, is typical in a governmental response to the risk of data breaches, the recommended implementation of a notification requirement. But like other things in healthcare, what’s the use of knowing if you can’t do anything about it?
Right now, most privacy is governed by laws that include few to no consequences for the sloppy or negligent release of your personal information by an entity to another entity that uses such information for nefarious purposes.
If the company INTENDED to release your information, you might have a cause of action. This most typically requires that you show that the company made money from the sale of your personal information. Even if you can prove the company sold your personal information, it’s difficult to prove the harm you experienced from such wrongful release of your personal information.
There is an enormous failure rate in individual actions that seek damages for individuals, money, for the release of their protected information.
Logically, it seems that those injured by another’s wrongdoing should be able to collect money damages. But when it comes to privacy breaches, both proving wrongdoing and proving injury are difficult.
As a consumer advocate, I here argue that it would be helpful for us to be able to better track WHO has had access to our information within the mega-entities that handle our personal information, giving us a better opportunity to name an individual defendant along with the defendant’s employing entity in pursuing money damages for breaches of our privacy.
Towards this goal, the use of aliases to protect customer service workers, introducing themselves with fake or first names only, should be discouraged when it comes to anyone handling personal information, especially in a healthcare context.
If aliases are assigned to protect customer service worker identities from the general public, organizations or government entities should be required to have a master list of such aliases and be required to release those names upon request, free to individuals whose data was handled by a particular employee upon notification by an entity that their data was breached.
While the determination of where our data goes once outside a company might be difficult for a company to determine, companies should have a greater obligation to provide a chain of evidence, with first and last names of individuals who "handled" our personal information within the company. Once notified of a data breach this would enable consumers to more easily track what happened to their personal information within an entity that led to its breach.
For instance, when you call your insurance company, you shouldn’t speak with Mary, but Mary and her last name. If that name is false, the insurance company should have a record of who Mary is and be obliged to release it to you in the event of a data breach that showed that Mary handled your private information.
It’s a small step, but I believe that it would begin to impact accountability which will better protect privacy rights moving forward.
