HHS takes breach-alert rule off the table

HHS has withdrawn from administrative review a proposed final version of a federal rule that requires hospitals, physicians, health plans and other specified handlers of patient health records to notify patients in the event that their personally identifiable health information is exposed by a data security breach.

In a notice posted on its website, HHS said it was withdrawing the final breach-notification rule from review by the Office of Management and Budget "to allow for further consideration, given the department's experience to date in administering the regulations."

The withdrawal does not affect, however, the interim final rule on breach notification that went into effect last fall, according to Susan McAndrew, the deputy director for health information privacy in the Office for Civil Rights at HHS. The interim final rule "remains in full force and effect," McAndrew said in an e-mail.

The civil rights office has enforcement authority for privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.

A new federal breach-notification requirement was among a number of more-stringent health information technology privacy and security provisions of the American Recovery and Reinvestment Act of 2009. Last August, HHS published an interim final rule on breach notification, which took effect Sept. 30, 2009. Since then, more than 100 organizations that exposed the protected healthcare information of 500 or more people have posted information about the breaches online at an HHS website.

Several breach-notification requirements in the interim final rule were criticized by privacy advocates, but one requirement also gained some powerful detractors in six members of the House of Representatives, led by Energy and Commerce Committee Chairman Rep. Henry Waxman (D-Calif.) and the committee's ranking member, Rep. Joe Barton (R-Texas), who wrote HHS Secretary Kathleen Sebelius asking HHS to "revise or repeal" an offending section of the rule "at the soonest appropriate opportunity."

As written, the interim final rule states that, in the event of a breach, it is up to healthcare providers, researchers, information analysts and their business associates involved to perform a risk assessment. It is their duty to determine the extent of the harm done to persons whose records have been breached, and only in those cases where they determine that harm has been done are they required by the interim final rule to notify affected patients.

The congressional leaders said they considered and rejected a harm standard in legislative deliberations and that it would be "not consistent with congressional intent" for HHS to insert one in the rule.

HHS, in its withdrawal statement, said breach notification is "a complex issue," adding "the administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur."

“We intend to publish a final rule in the Federal Register in the coming months,” the writers of the HHS notice said.