Congressmen Want HIPAA Harm Threshold Eliminated
Six members of the House of Representatives signed a letter written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS' interim final rule on breach notification.
The rule was published in the Federal Register August 24 and took effect September 23.
HHS added a provision that says an unauthorized use or disclosure of PHI is considered a breach only if the use or disclosure poses some harm to the individual. Part of the goal is to eliminate notification on incidental breaches, such as a fax to the wrong department within an organization.
The Congressmen, all but one of whom are Democrats, wrote they are "deeply concerned" about the harm provision because it gives covered entities and business associates (BAs) a "breadth of discretion" as they determine the level of harm to an individual whose PHI was inappropriately disclosed.
Congress explicitly rejected a harm standard when it crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.
Prior to ARRA becoming law, the Committee on Energy and Commerce proposed a similar definition of a breach. It required patients to be notified if the unauthorized use of PHI could "reasonably result in substantial harm, embarrassment, inconvenience or unfairness to the individual," according to the letter to Sebelius.
However, Congress rejected and passed a "black and white" standard on breach notification that "makes implementation and enforcement simpler," the Congressmen wrote.
The legislation includes a "safe harbor for information that is rendered unusable, unreadable, or indecipherable to unauthorized individuals, and other specific exceptions," the letter continued. "The primary purpose for mandatory breach notification is to provide incentives for healthcare entities to protect data, such as through strong encryption or destruction methodologies, and to allow individuals to assess the level of unauthorized use or disclosure of their information."
Chris Simons, RHIA, director of UM & HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME, says the harm threshold provision in the interim final rule leaves the rule "nowhere near as strict as I was expecting."
"Privacy officers should be breathing a sigh of relief that those faxes sent by mistake to one doctor instead of another, for instance, will not be required to be reported," Simons adds.
- No Employee Satisfaction, No Patient-Centered Culture
- RN Named Chief Patient Experience Officer
- How Simple Data Analytics is Driving Physician Incentives
- Medicare to Finally Pay Doctors for Care They Were Giving Away
- AMA Pushes Lame Duck Congress for SGR Repeal
- 3 Ways CFOs Can Help Achieve Physician Alignment
- CIOs, CMOs Share EHR, Telehealth Adoption Experiences
- Health Plans Braced for Open Enrollment
- TJC Announces 11% Increase in Top Performers
- Quality in Ambulatory Surgical Settings Gets a Closer Look