HHS last week withdrew a proposed final version of a federal rule that requires hospitals, physicians, health plans and other specified handlers of patient health records to notify patients if their personally identifiable health information is exposed by a data security breach.
Rethinking breach notices
HHS withdraws final rule for more consideration
In a notice posted on its website, HHS said it was withdrawing the final breach-notification rule from review by the Office of Management and Budget “to allow for further consideration, given the department's experience to date in administering the regulations.” The final rule had never been published.
However, the withdrawal does not affect the interim final rule on breach notification that went into effect last fall, according to Susan McAndrew, deputy director for health information privacy in HHS' Office for Civil Rights. The interim final rule “remains in full force and effect,” McAndrew said in an e-mail.
The Civil Rights Office has enforcement authority for privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.
A new, federal breach-notification requirement was among a number of more stringent health information technology privacy and security provisions of the American Recovery and Reinvestment Act of 2009. On Aug. 24, 2009, HHS published an interim final rule on breach notification, which became effective Sept. 30, 2009. Since then, more than 100 organizations that exposed the protected healthcare information of 500 or more people have posted information about the breaches online at an HHS website.
In an October 2009 letter to HHS' Office for Civil Rights commenting on the interim final rule and written on behalf of the professional group the American Psychoanalytic Association, lawyer Jim Pyles complained that HHS rule writers not only exceeded their authority but also drafted a rule that “appears to be designed to minimize rather than maximize the situations in which individuals will be informed” of breaches affecting their records.
Pyles said in an interview last week that pulling the rule may signal a change in direction by the Obama administration toward a more patient-centric approach to privacy.
Several breach-notification requirements in the interim final rule were criticized by privacy advocates, but one requirement also gained some powerful detractors in six members of the House of Representatives, led by Energy and Commerce Committee Chairman Rep. Henry Waxman (D-Calif.) and the committee's ranking member, Rep. Joe Barton (R-Texas), who wrote HHS Secretary Kathleen Sebelius asking HHS to “revise or repeal” an offending section of the rule “at the soonest appropriate opportunity.”
As written, the interim final rule provides, in the event of a breach, that it is up to the healthcare providers, researchers, data-miners and their business associates involved to perform a risk assessment. It is up to them to determine the extent of the harm done to persons whose records have been breached and only in those cases in which they determine harm has been done are they required by the interim final rule to notify the affected patients.
The congressional leaders said they had rejected a harm standard in legislative deliberations and for HHS to insert one in the rule was “not consistent with congressional intent,” the letter said.
HHS, in its withdrawal statement, said breach notification is “a complex issue,” adding “the administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. ... We intend to publish a final rule in the Federal Register in the coming months.”
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.