Final Breach Notification Rule on HoldRegulators Consider More Changes
An "interim final rule" on breach notification has been in effect since Sept. 23, 2009. So far, more than 120 major breaches have been reported to the Department of Health and Human Services' Office for Civil Rights as required under that rule.
Source of DebateThe interim final rule has proven controversial, so observers are anxiously awaiting the revisions.
Some consumer advocates and members of Congress criticized a "harm standard" provision in the rule. That provision allows health care organizations and their business associates to conduct a risk assessment to determine whether a particular data security breach presents "significant risk" and thus needs to be reported to those affected. Opponents say this provision should be dropped so that all breaches are reported.
Under the HITECH breach notification rule, individuals must be notified of breaches within 60 days. Breaches that affect more than 500 individuals must also be reported to the HHS Office for Civil Rights and the news media. Breaches involving information that has been encrypted do not need to be reported.
The Latest DevelopmentIn a brief statement on its website, HHS says it has withdrawn its proposed final version of the rule from administrative review by the Office of Management and Budget, the final step before a regulation becomes official.
HHS is making the move "to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue, and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur."
HHS says it intends to publish a final rule in the Federal Register "in the coming months."
The HHS Office for Civil Rights, which administers the rule, said in a statement provided to HealthcareInfoSecurity.com: "No further details are available at this time as the final rule withdrawn from OMB review is considered to be part of pre-decisional agency deliberations on regulations. The interim final rule continues in full force and effect until a final rulemaking is issued.
"The final rulemaking will take into account the comments received on the interim final rule and our experiences with administering the new breach notification provisions since last September. These are routine, formal regulatory processes."
Congressional ResponseIn an Oct. 1, 2009, letter to HHS Secretary Kathleen Sebelius, a bipartisan group of six members of the U.S. House of Representatives, including Rep. Henry Waxman, D-Calif., chairman of the Committee on Energy and Commerce, called for repeal of the harm standard provision because it is "not consistent with Congressional intent."
They pointed out that Congress "considered and rejected" such a standard "due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal information."
The HITECH Act section of the economic stimulus package, known as the American Recovery and Reinvestment Act of 2009, requires healthcare organizations to notify individuals if there is an "unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information." The Congressmen criticized HHS for interpreting the term "compromises" to include a "substantial harm standard." They said a "black and white standard makes implementation and enforcement simpler."
The Coalition for Patient Privacy, a group of 13 advocacy organizations, on Oct. 23, 2009, also requested that HHS remove the harm standard, saying it "weakens the breach notification requirement dramatically, granting the company that would like to avoid the cost and consequences of breach notification the power to decide if they will notify."