The Software & Information Industry Association (SIIA) has submitted feedback on the proposed revisions to the Health Breach Notification Rule (HBNR).
SIIA acknowledges the need for updates to the notification regime to adapt to changing business practices and technological advancements. However, they express concerns about certain proposed changes. The definition of “health care provider” under the HBNR expansion is a key point of contention. The proposed definition covers a wide range of entities, including health apps and technologies beyond traditional health care providers, which SIIA argues deviates from the intended scope and could encompass unrelated businesses, like stores selling wellness products.
Additionally, SIIA raises concerns about the scope of security breach definitions. The proposed broadening of unauthorized access or disclosure criteria without assessing the likelihood of harm could lead to excessive notifications and compliance challenges.
SIIA opposes the inclusion of advertising and analytics providers and platforms under the category of third-party service providers, highlighting impracticalities and uncertainties in enforcing compliance.
Lastly, SIIA cautions against overly prescriptive requirements for consumer authorization and affirmative consent. They advocate for a balance between transparency, user expectations, and the evolution of technology interfaces.
In summary, SIIA’s feedback emphasizes the importance of maintaining a clear, balanced, and practical approach to the HBNR revisions to ensure meaningful protection of consumer information while considering the evolving landscape of information technologies.