Seems to me that this should be under the responsibility of USDHHS. Before that though, WHY should there be any centralized digital PHR in the first place???
What is needed is each of us to have our PHR in a format that we carry with us and have control over, including the correction of misinformation. Any other approach does NOT have comprehensive enough protections - not even banks have that; some of them have been hacked. Otherwise, it will be hacked and misused by employers, insurance companies, the government, hackers, blackmailers, etc.
Who is really paying for this setup? It looks like it is for power and control over people to the benefit of business, not of the people. And who is it that REALLY pays when a breach occurs? You know it's going to be us, the breached person; paying for credit freezes, credit reports, getting our credit straightened out (which takes years and years), etc - all through NO fault of our own.
There is NO WHERE to opt in to do this PHR stuff; forget about trying to use opt out - that is a dirty ploy. I would NOT trust any email notification of a breach; it would have to be first class mail with a number to talk with a staff person of power in the company with a breach.
It looks to me like this whole thing is set up to benefit business and more of "big brother is watching you" and waiting to drop the hammer at first opportunity. You do NOT know what is best for me nor do companies.
My health information is between my doctor and me and only as necessary with other entities with a need to know who have limited access to my health information - I hate even having the health insurance company to know any of it since they could use any of it to charge me higher premiums, refuse care - especially refusing health care for a "pre-existing" condition, or whatever...
My recommendation is to TRASH that whole setup and start back with us having our own portable individual health record that we have control over and can correct as needed. Wouldn't have to worry about breaches or unauthorized access then, only us losing it - but could only be a copy that we carry with the original in our own safe place...