HHS has withdrawn the Interim Final Rule for Breach Notification for Unsecured Protected Health Information. On the HHS website there is a notice that states:
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
Consumer advocates have criticized the HITECH breach reporting rules and point specifically to the “harm standard”. The “harm standard” allows for healthcare organizations to determine if a breach of patient information presents a significant risk of harm to the individual(s). Healthcare organizations would most likely perform a risk assessment to determine if the breach would presents a significant risk in terms of financial, reputation or other harm to an individual. Critics of the proposed rule say that allowing the healthcare organization to determine if the risk is significant and whether there is a need to disclose the breach would result in many breaches that will go undisclosed. Critics argue that the “harm standard” should be removed from the final rule and that all breaches should be disclosed.
I have mixed feelings on the “harm standard” and whether it should be included in the rule or removed from the rule. On one hand I think the “harm standard” makes a lot of sense. Assume a laptop is lost and it contains patient information (assuming the laptop was not encrypted) and then the laptop is returned 10 days later and it is also determined that the laptop information had not be accessed. Under the “harm standard” most likely a healthcare organization will determine that there was no risk to the patients, who’s information was on the laptop, and therefore no breach notification would be required. I would tend to agree with the determination to not disclose the breach because no patient information was accessed and no harm was done to the patient.
On the other hand, if a laptop is lost and it contained patient information and was not recovered then I believe that the breach should be disclosed. Under the “harm standard”, a healthcare organization could perform a risk assessment and determine that the cost of reporting the breach was more then the risk to the patient and decide not to disclose the breach. In this example I disagree with the “harm standard” and think it would be wrong for a healthcare organization to make the determination that the breach should not be disclosed.
As you can see the “harm standard” is not black and white. In some cases it makes sense and in others it does not make sense. HHS will have a challenge to revised the rule so that patients are properly protected but at the same time not every incident leads to a breach notification.
Related posts:
