Technology
Industry Surveys
Breakthroughs Reports
Events
Departments
- Leadership
- Finance
- Technology
- Physicians
- Community Hospitals
- Health Plans
- Marketing
- Quality
- Nursing
- HR
- Service Lines
Congressmen Want HIPAA Harm Threshold Eliminated
Six members of the House of Representatives signed a letter written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS' interim final rule on breach notification.
The rule was published in the Federal Register August 24 and took effect September 23.
HHS added a provision that says an unauthorized use or disclosure of PHI is considered a breach only if the use or disclosure poses some harm to the individual. Part of the goal is to eliminate notification on incidental breaches, such as a fax to the wrong department within an organization.
The Congressmen, all but one of whom are Democrats, wrote they are "deeply concerned" about the harm provision because it gives covered entities and business associates (BAs) a "breadth of discretion" as they determine the level of harm to an individual whose PHI was inappropriately disclosed.
Congress explicitly rejected a harm standard when it crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.
Prior to ARRA becoming law, the Committee on Energy and Commerce proposed a similar definition of a breach. It required patients to be notified if the unauthorized use of PHI could "reasonably result in substantial harm, embarrassment, inconvenience or unfairness to the individual," according to the letter to Sebelius.
However, Congress rejected and passed a "black and white" standard on breach notification that "makes implementation and enforcement simpler," the Congressmen wrote.
The legislation includes a "safe harbor for information that is rendered unusable, unreadable, or indecipherable to unauthorized individuals, and other specific exceptions," the letter continued. "The primary purpose for mandatory breach notification is to provide incentives for healthcare entities to protect data, such as through strong encryption or destruction methodologies, and to allow individuals to assess the level of unauthorized use or disclosure of their information."
Chris Simons, RHIA, director of UM & HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME, says the harm threshold provision in the interim final rule leaves the rule "nowhere near as strict as I was expecting."
"Privacy officers should be breathing a sigh of relief that those faxes sent by mistake to one doctor instead of another, for instance, will not be required to be reported," Simons adds.
- 10 Major Changes to Health Reform in House's Reconciliation Bill
- Match Day a Reminder of Primary Care's Struggles
- Can 'Deadly Deliveries' Be a Wake-Up Call to Physicians, Hospitals?
- Physicians Generate $1.5M Annually for Their Hospitals, Says Survey
- Six Reasons Proposed Hospital Advertising Ban Will Never Pass
- Hospital Monitors Infectious Diseases Using Real-Time Surveillance
- Cardiology Group Fights Medicare Pay Cuts by Offering Concierge Services
- 3 Lessons U.S. Healthcare Can Learn from France to Cut Infections
- Hospitals Make Employee Flu Vaccinations a Patient Safety Issue
- Ten Ways to Increase Nurses' Time at the Bedside
John (10/19/2009 at 5:43 PM)
I agree with the first comment. The premium is on the security and integrity of the data itself, not the harm it may, or may not cause, if breached. I believe this is the true intent of the law. Leaving the decision of harm assessment to BAs and CEs is simply not consistent with patient's rights to privacy. Either you take the safeguards necessary to ensure, to the best of your ability, the security of the health data you have been charged to manage, or you don't. If you are found not to have done so, then you should be penalized. Why wait for harm? Strong standards, if followed and enforced, reducing the likelihood of breach, makes far more sense.
HLGCDT (10/13/2009 at 12:54 PM)
The Center for Democracy & Technology wrote an article on how the HHS' new "harm standard" for breach notification undermines transparency and patient privacy. That article can be found here: http://blog.cdt.org/2009/09/11/hhs%E2%80%99-new-harm-standard-for-breach-notification/ Instead of the "harm standard", whether health information has been compromised should be determined by an assessment of the risk that the data has been or will be inappropriately acquired, viewed or used. This "acquisition-based" risk assessment is more aligned with Congressional intent than the "harm-based" risk assessment. Focusing on the likelihood of acquisition removes the subjectivity from the harm standard, preserves the incentives for health care companies to protect data, reduces unnecessary patient notifications, and is easier to enforce and administer. Hopefully HHS will revise the harm standard to this more appropriate approach.
JIm (10/12/2009 at 10:35 AM)
I think it is pretty simple. If the info is inadvertently sent to a BA that normally handles other PHI, they are notified promptly, and no further disclosure is made, then it is not a breach. This covers faxes sent to the wrong doc, insurance billing errors, etc. If the PHI is released to a non BA entity, like the individual who received the information for another patient then this would be a breach. By requiring all inadvertent disclosures to be treated as breaches, the real effect is to diminish the law as everyone will be overwhelmed with disclosure notifications that will just waste every ones time. It's like the warnings that are on everything you buy. No one reads them as are so verbose and just contain information that any reasonable person would know.