Members of Congress and others are unhappy with the HHS’ interpretation of privacy-related provisions of the American Recovery and Reinvestment Act of 2009, also known as the stimulus law.
IT, Congress urge HHS to add harm threshold
Before the public-comment window closed last month, the new rule garnered support from healthcare industry organizations, including the American Hospital Association and group purchasing and quality organization Premier.
It also catalyzed some strident criticism. The focus of much of the criticism is an interpretation of the health information technology portion of the law that says breaches of privacy only need be reported in cases in which the provider involved believes no harm occurred as a result of the breach.
The American Psychoanalytic Association, in its public-comment letter written by Washington lawyer James Pyles, a partner in the law firm Powers Pyles Sutter & Verville, said HHS, by adding a harm threshold, “materially alters the statutory definition of breach.” Its interpretation not only is “contrary to the plain language of the statute” but also “would appear to be a classic case of ‘putting the fox in charge of the henhouse.’ ” There is, he wrote, “simply no authority” for such an exception.
But probably the most telling of the negative comments came in an Oct. 1 letter to HHS Secretary Kathleen Sebelius from no less than six powerful leaders in the House of Representatives, including the House Energy and Commerce Committee’s chairman, Rep. Henry Waxman (D-Calif.), and ranking member, Rep. Joe Barton (R-Texas). The six deemed that a provision of the HHS rule was “not consistent with congressional intent” and urged Sebelius to “revise or repeal” the offending HHS interpretation “at the soonest appropriate opportunity.”
The Federal Trade Commission, in drafting a companion rule under the stimulus law on breaches by vendors and associates involved with consumer-oriented personal health-record systems, didn’t use a harm threshold.
On Oct. 20, Sebelius responded to the congressmen, thanking them for their “views on this important matter,” adding she is “committed to ensuring strong privacy and security protections.” Sebelius did not respond to their request to rescind the offending portion of the rule.
The AHA, with some reservations, generally endorsed the HHS effort, “particularly HHS’ recognition that the federal breach requirements necessitate an explicit risk of harm trigger for the notice obligations,” according to its six-page public comment letter by Executive Vice President Richard Pollack. The AHA “strongly” urged HHS to keep the breach definition that includes the element of harm.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.