Several Congressmen objected to the breach notification interim final rule’s “harm threshold” provision, which allows covered entities to perform a risk assessment to determine the level of harm in a potential breach.
Essentially, it’s one way those entities can avoid breach notification. Congress did not write this provision into HITECH.
Asked if the withdrawal from OMB review had anything to do with the harm threshold, OCR wrote, “No further details are available at this time as the final rule withdrawn from OMB review is considered to be part of pre-decisional agency deliberations on regulations.”
OCR wrote on its website it intends to publish a final rule in the coming months.