A Win for Privacy Advocates?
But it remains to be seen precisely how regulators will tweak the final rule. So we'll see if the declaration of victory is premature. In a statement recently posted on its website, the Department of Health and Human Services acknowledges that it has withdrawn its proposed final version of the rule from administrative review by the Office of Management and Budget, the final step before a regulation becomes official. The rule had been submitted May 14.
HHS is making the move "to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue, and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur."
If, indeed, the 'harm standard' is yanked, it will be interesting to watch whether the change leads to a spike in the number of breaches reported.
Some consumer advocates, including Patient Privacy Rights, as well as several members of Congress, criticized a "harm standard" provision in the interim final rule, which is now in effect. That provision allows health care organizations and their business associates to conduct a risk assessment to determine whether a particular data security breach presents "significant risk" and thus needs to be reported to those affected.
In a July 30 release, Patient Privacy Rights called the pending reworking of the final rule "a huge step in the right direction." The group calls the "harm standard" a "blatant disregard for patients' rights to be notified of all breaches."
The statement goes on: "The proposed final rule granted the power to decide whether to report breaches or not to the businesses that failed to protect sensitive health data, and would not want to disclose breaches. Talk about letting the fox guard the hen house."
So Patient Privacy Rights is assuming that the reworking of the final rule will result in deletion of the "harm standard." But for now, officials at the HHS' Office for Civil Rights are declining to discuss their planned revisions. They'll only say that the final rule will be published "in the coming months."
If, indeed, the "harm standard" is yanked, it will be interesting to watch whether the change leads to a spike in the number of major breaches reported.
It's impossible to determine how many breaches have not been reported to regulators because healthcare organizations determined that the incidents did not represent a "significant risk." So far, more than 120 major breaches, affecting more than 500 individuals, have been reported to the HHS Office for Civil Rights as required under the interim final rule on breach notification, which has been in effect since Sept. 23, 2009.
So what do you think? Is the 'harm standard' reasonable, or should it be tossed? And do you think that many major breaches are going unreported as a result of the 'harm standard?'