HHS added the concept of “harm” to that definition. In it, HHS says if providers, data-miners and other holders of patient-identifiable medical records experience a breach, they should first perform a risk analysis.
If that analysis determines, in the data-holder's view, that their breach poses only minimal risk of harm to the patient, then no breach notification is required.
HHS, meanwhile, provides no guidance in identifying what an appropriate harm threshold should be. In effect, HHS leaves it up to the offender to determine and admit it has committed an offense.
The addition not only goes beyond the language of the statute as written by Congress—a harm threshold is unmentioned in the law—but also it is inconsistent with a companion rule on breach notification written by the Federal Trade Commission and released Aug. 17, which does not include a harm standard.
Both HHS and FTC rules were written to put flesh on the bones of a new, federal breach-notification law Congress passed in February as part of the American Recovery and Reinvestment Act of 2009, also known as the stimulus law.
The HHS version of the rule pertains to breaches of personally identifiable records held by hospitals, physicians and other so-called “covered entities” and their business associates under the privacy provisions of the Health Insurance Portability and Accountability Act of 1996, which the stimulus law amended.
In contrast, the FTC rule pertains to firms and organizations that offer a broad array of new, consumer-oriented health IT products and services, including personal health records, which may or may not be covered organizations. The FTC rule targets these so-called health 2.0 providers and their business associates.
In its 32-page interim final rule, HHS appeared to stretch the statute by saying that a breach “is considered a breach only if the use or disclosure poses some harm to the individual.” HHS went on to authorize the organization that committed the breach to self-assess and determine if it had caused harm. As part of that self-assessment, the organization committing the breach can take into consideration who the patient information was breached to as well as the level of sensitivity of the information released.
“If the nature of the protected health information does not pose a significant risk of financial, reputational or other harm, then the violation is not a breach,” HHS said.
Only if the organization determined harm had been caused would it then be required to notify individuals whose records had been exposed, according to HHS.
Neither the statute nor the FTC rule mentioned harm as a precondition for notification, points noted by Consumer Watchdog in its protest of the HHS rule. In a news release, the group asked, rhetorically, “What prompted HHS to flout congressional intent. Could it be that Congress managed to fend off the pressures of the healthcare industry in passing ARRA only to have the lobbyists return to exert their influence on the rulemaking process?”
Premier, however, in its news release, called on HHS Secretary Kathleen Sebelius to “maintain the harm standard that would ensure that notification requirements would only pertain to breaches that pose a significant risk to individuals.”
“Without a harm standard, providers would be responsible for notifying patients of every instance of a compromise, even the most minimal, whether it imposes harm or not,” Premier said.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.