Back on Aug. 19, HHS published an interim final rule fleshing out the federal breach notification provisions in the American Recovery and Reinvestment Act of 2009, also known as the stimulus law. The HHS rule applies to so-called “covered entities” and their business associates as defined in the stimulus law and the Health Insurance Portability and Accountability Act of 1996.
Also in August, two days before HHS published its rule, the Federal Trade Commission released its companion rule—also pursuant to the stimulus law—to cover breach notifications by vendors of personal health records and their business associates.
HHS rulemakers concluded that providers, other covered entities and their business associates who lose control of patient information should first perform a risk assessment. Then, HHS ruled, the unauthorized use or disclosure of protected health information would be considered a breach that required notification only if the provider or other entity determined in the risk assessment that the disclosure poses “a significant risk of financial, reputational or other harm to the individual.”
The FTC had no such harm threshold in its rule for PHR providers.
Thus, we wanted readers to tell us: Should patients be notified only when the provider or other organization determines there is an expectation of harm, as HHS interpreted the law, or whenever there is unauthorized disclosure, as the FTC did?
The 78 readers who responded to our poll could not have been more evenly divided.
Thirty-four respondents (44%) agreed with the interpretation of HHS, another 34 agreed with that of the FTC, five readers (6%) agreed with both the HHS and FTC interpretations and another five disagreed with both.
Who will be declared right in the end?
HHS has some powerful incentives to revisit the question before removing “interim” from the final rule.
First, HHS opened in August a 60-day public comment period on the interim rule. That ended on October 23, but not before generating conflicting opinions.
A consumer watchdog organization howled about the HHS rule, but group purchaser Premier applauded HHS, saying its interpretation rightfully would limit notifications only to breaches “that pose a significant risk to individuals.”
Finally, six key leaders in the House—five Democrats and one Republican—wrote in October to HHS Secretary Kathleen Sebelius, informing her that legislators considered applying a harm threshold when drafting the law, but voted it down. Thus, they said, adding back a harm threshold to the HHS rule violates the will of Congress. They asked Sebelius to either withdraw or rewrite the rule.
Sebelius wrote back saying she'd include the representatives' concerns in the review along with other public comments before a final rule is drafted.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.