Invite a Friend

Sitemap

Home

Technology
e-Newsletter

Intelligence Unit

Special Reports

Special Events

Subscribe

Sponsored

Departments

Follow Us

Home > Technology > Tech News & Analysis

Is HIPAA's New Harm Threshold Good News or Bad?

Comment

RSS

News Widget

Dom Nicastro, for HealthLeaders Media, August 28, 2009

HHS' interim final rule on breach notification released last week included most of the same requirements in the HITECH Act regarding breach notification:

Immediate notification to victims on all breaches

Notification to HHS on all breaches (immediate if 500 or more victims)

Notification to media outlets on breaches of 500 or more patient records

Valid encryption processes for PHI in databases consistent with National Institute of Standards and Technology (NIST)

However, there is something new and significant—a "harm threshold" provision that will help covered entities and business associates (BAs) determine whether or not to report a breach.

HHS said in the interim final rule that many commenters on the draft guidance in April suggested HHS add a "harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual."

HHS agreed. Now, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.

According to the interim final rule, the important questions are:

In whose hands did the PHI land?

Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?

Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?

In certain cases, if the information includes only a patient's name and the fact they've had services at the hospital, that's no harm, no breach.

But what if the information includes the patient's oncology treatments? Lots of potential harm there. And that's a breach.

This is good news for covered entities, especially when you look at all those faxes with PHI that go to the wrong address in a hospital. If that fax goes to another HIPAA covered entity who immediately shreds it, no breach notification required.

"It's good news since it appropriately lets organizations off the hook when the breach, as defined by the Recovery Act, doesn't appear to put the patient or plan member at measurable risk," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

1 | 2

Email to a colleague

RSS

News Widget

Archive

Printer Friendly

Be the first to make a comment

Comments are moderated. Please be patient.

CDPH Data Breach Affects 9,000 State Workers

For the second time in just over six months, officials at the California Department of Public Health have acknowledged a major breach of health and personal information from within their own agency.

Security Breach Puts 500,000 BlueCross Members' Data at Risk

The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states, the insurer...

Flurry of HIPAA Activity Expected Over Next Three Months

The Office for Civil Rights in all likelihood will publish a draft or interim final rule outlining the new requirements for composing and updating business associate contracts in February, the same month BAs...

Continuing Education: HIPAA Privacy and Security: Executive, Administrative, and Corporate Staff

This course explains the HIPAA privacy and security rules that are relevant to the executive, administrative, and corporate staff. It also addresses the HIPAA Omnibus Rule, the HITECH Act...

go to complete list