Breach Notification Final Rule on Hold
The Department of Health and Human Services has withdrawn the final rule on breach notification it submitted for review to the Office of Management and Budget. HHS had entered the rule with OMB on May 14, in what typically would be the final step before its publication.
HHS withdrew the rule to “allow for further consideration, given the Department’s experience to date in administering the regulations,” it wrote in a notice posted to its Web site. HHS described the breach notification issue as “complex,” but it did not give indication of exactly why it is reconsidering the final rule.
The breach notification regulation stems from the HITECH Act within the American Recovery and Reinvestment Act. The rule requires covered entities to notify patients of any breach of their protected health information, if that information was unencrypted at the time.
Breaches must also be reported to HHS annually; those involving 500 records or more must be reported to HHS and the media within 60 days of discovery. HHS posts notices of the large-scale breaches on its Web site, a list that surpassed 100 breaches by early summer.
In August 2009 HHS published an interim final rule, which became effective in September and enforceable the following February. HHS notes that it received approximately 120 comments on the interim rule.
The most controversial aspect of the interim rule was HHS’s inclusion of a “harm threshold,” which had not been specified in HITECH. The threshold provision allows entities to forego notifying patients of breaches that the entity deems are unlikely to cause harm to the patient.
Some consumer groups and members of Congress objected to the provision as contrary to the law’s intent. Others lauded it as a common sense measure to alleviate reporting minor administrative errors, such as a fax sent to the wrong department within the facility or the wrong provider within the network.