Final breach notification rules delayed
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009.
During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010. However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:
HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
HHS's withdrawal remains a bit of mystery. However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.
Ed Shay believes one of the reasons could be the controversy regarding the "harm threshold" element of the rule, which we discussed earlier this year. This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person. According to Ed:
Apart from the politics of the IFR, there is the underlying reality of asking the industry to reach reasonably consistent determinations on risk of harm. I am sure many on this list have now been through the exercise of evaluating risk of harm, an exercise which leave room for a wide range of judgment in my opinion. Some covered entities will over-report, others will under-report [especially when reporting a 500+ breach may invite a large penalty for the underlying unauthorized use or disclosure. I think that he guidance on what goes into the risk of harm analysis is quite limited, even when one pursues the reference to the OMB circular, or state law which varies greatly on what constitutes reputational harm. Based upon almost one year of reported HIPAA breaches that have very likely been compared by OCR to breaches reported under state laws in states with no risk of harm proviso, OCR may be finding that a lot that OCR expected to be reported is not being reported--with the inference being that risk of harm has proven too judgment dependent in its implementation.
If risk of harm is not the issue, then I would offer that finalizing subcontractor BAs would have to precede finalizing breach notification. If subcontractor BAs survives the proposed rule, then reporting upstream has to be addressed in final breach notification rules.
You can find HHS's brief press release on the subject by clicking here.
