HHS' interim final rule on breach notification released last week included most of the same requirements in the HITECH Act regarding breach notification:
However, there is something new and significant—a "harm threshold" provision that will help covered entities and business associates (BAs) determine whether or not to report a breach.
HHS said in the interim final rule that many commenters on the draft guidance in April suggested HHS add a "harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual."
HHS agreed. Now, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
In certain cases, if the information includes only a patient's name and the fact they've had services at the hospital, that's no harm, no breach.
But what if the information includes the patient's oncology treatments? Lots of potential harm there. And that's a breach.
This is good news for covered entities, especially when you look at all those faxes with PHI that go to the wrong address in a hospital. If that fax goes to another HIPAA covered entity who immediately shreds it, no breach notification required.
"It's good news since it appropriately lets organizations off the hook when the breach, as defined by the Recovery Act, doesn't appear to put the patient or plan member at measurable risk," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.