Health Breach Notification Rulemaking, Project No. R911002”
These rules are NOT ENOUGH to protect privacy!!! Access to private data IS the same as acquisition. While the language sounds reasonable, in the real world it only provides loopholes for those gaining access to data. The only way to fully protect medical data is to strictly limit access and to give the patient FULL & COMPLETE right of control over who sees the data....(and by "right of control" I mean the patient must give explicit approval for each and every person/group that accesses the data). Data access must be specifically granted....no "OPT OUT' policy which puts the patient in the position of continually chasing the system to keep his/her data private.
Additionally, strict prohibitions must be in place that limit the use to which this medical data can be put, and severe penalties must be in place for companies and individuals that violate the prohibitions.
The history of consumer data privacy is NOT GOOD. Typically the government (thru law or agency) waters down privacy rules in favor of those who want to access the data instead of protecting the right/privacy of those to whom the data should belong.
Medical data is so personal to the patient, and has so much potential for misuse...that the rules to protect it must be strict, well written, and carry sufficient penalties and enforcement.