Final Breach Notification Rule on Hold Regulators Consider More Changes
Federal regulators are going back to the drawing board before issuing a final version of the HITECH Act breach notification rule. A proposal for the final rule had been submitted for administrative review May 14, but it has been withdrawn pending "further consideration."

An "interim final rule" on breach notification has been in effect since Sept. 23, 2009. So far, more than 120 major breaches have been reported to the Department of Health and Human Services' Office for Civil Rights as required under that rule.

Source of Debate

The interim final rule has proven controversial, so observers are anxiously awaiting the revisions.

Some consumer advocates and members of Congress criticized a "harm standard" provision in the rule. That provision allows health care organizations and their business associates to conduct a risk assessment to determine whether a particular data security breach presents "significant risk" and thus needs to be reported to those affected. Opponents say this provision should be dropped so that all breaches are reported.

Under the HITECH breach notification rule, individuals must be notified of breaches within 60 days. Breaches that affect more than 500 individuals must also be reported to the HHS Office for Civil Rights and the news media. Breaches involving information that has been encrypted do not need to be reported.

The Latest Development

In a brief statement on its website, HHS says it has withdrawn its proposed final version of the rule from administrative review by the Office of Management and Budget, the final step before a regulation becomes official.

HHS is making the move "to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue, and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur."

HHS says it intends to publish a final rule in the Federal Register "in the coming months."

The HHS Office for Civil Rights, which administers the rule, said in a statement provided to HealthcareInfoSecurity.com: "No further details are available at this time as the final rule withdrawn from OMB review is considered to be part of pre-decisional agency deliberations on regulations. The interim final rule continues in full force and effect until a final rulemaking is issued.

"The final rulemaking will take into account the comments received on the interim final rule and our experiences with administering the new breach notification provisions since last September. These are routine, formal regulatory processes."

Congressional Response

In an Oct. 1, 2009, letter to HHS Secretary Kathleen Sebelius, a bipartisan group of six members of the U.S. House of Representatives, including Rep. Henry Waxman, D-Calif., chairman of the Committee on Energy and Commerce, called for repeal of the harm standard provision because it is "not consistent with Congressional intent."

They pointed out that Congress "considered and rejected" such a standard "due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal information."

The HITECH Act section of the economic stimulus package, known as the American Recovery and Reinvestment Act of 2009, requires healthcare organizations to notify individuals if there is an "unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information." The Congressmen criticized HHS for interpreting the term "compromises" to include a "substantial harm standard." They said a "black and white standard makes implementation and enforcement simpler."

The Coalition for Patient Privacy, a group of 13 advocacy organizations, on Oct. 23, 2009, also requested that HHS remove the harm standard, saying it "weakens the breach notification requirement dramatically, granting the company that would like to avoid the cost and consequences of breach notification the power to decide if they will notify."


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.





Around the Network