Technology
Industry Surveys
Breakthroughs Reports
Events
Departments
- Leadership
- Finance
- Technology
- Physicians
- Community Hospitals
- Health Plans
- Marketing
- Quality
- Nursing
- HR
- Service Lines
HIPAA's Harm Threshold is a Huge Weakness
A lawyer and panelist at last week's 17th annual national HIPAA Summit called HHS' new "harm threshold" in its interim final rule on breach notification a "huge weakness."
Gerry Hinkley, Esq., partner and chair of HIT practice group for Davis Wright Tremaine in San Francisco, presented a talk on breach notification and the new components of HIPAA in the HITECH Act on Day 3 of the conference at the Wardman Park Hotel in Washington, DC, Friday.
Perhaps his most telling comment came about the new "harm threshold" in the HHS interim final rule on breach notification.
Hinkley called it a "huge weakness." If he's a patient, Hinkley said he wants to be the one determining whether information that was disclosed inappropriately could cause significant harm–and not the covered entity.
HHS says in the interim final rule that many commenters on the draft guidance in April suggested HHS add a "harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual."
HHS agreed. Hinkley necessarily does not.
HealthLeaders Media asked Hinkley at the Summit Friday if he sees instances where HHS will overrule a covered entity's determination of significant harm to a patient.
"You always have that risk because if your determination is not reasonable, you've got a HIPAA violation," Hinkley said. "You're going to be second-guessed so you want to be balanced and conservative in making that determination."
According to the interim final rule, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
- Healthcare Reform Passage Could Come Down to Three Ifs
- Medical Breakthroughs That Will Change Healthcare
- Four Steps to Better Leadership
- Killingsworth Resigns from BCBS of MA
- Ten Ways to Increase Nurses' Time at the Bedside
- Computer-Controlled Pancreas Could Close the Diabetes Loop
- Pure Genius: TPA and Hospital Collaborate to Decrease Denials and Save
- Physicians Step Up Protests Against Medicare Cuts
- RAC Audits Now a Potential Risk for Physicians
- Changing Bad Employee Habits Will Take Time, Patience
HLGCDT (10/13/2009 at 12:56 PM)
The Center for Democracy & Technology wrote an article on how the HHS' new "harm standard" for breach notification undermines transparency and patient privacy. That article can be found here: http://blog.cdt.org/2009/09/11/hhs%E2%80%99-new-harm-standard-for-breach-notification/ Instead of the "harm standard", whether health information has been compromised should be determined by an assessment of the risk that the data has been or will be inappropriately acquired, viewed or used. This "acquisition-based" risk assessment is more aligned with Congressional intent than the "harm-based" risk assessment. Focusing on the likelihood of acquisition removes the subjectivity from the harm standard, preserves the incentives for health care companies to protect data, reduces unnecessary patient notifications, and is easier to enforce and administer. Hopefully HHS will revise the harm standard to this more appropriate approach.