Invite a Friend

Sitemap

Home

Technology
e-Newsletter

Intelligence Unit

Special Reports

Special Events

Subscribe/Buy

Sponsored

Departments

Follow Us

Home > Technology > Tech News & Analysis

HIPAA's Harm Threshold is a Huge Weakness

Comment

RSS

News Widget

Dom Nicastro, for HealthLeaders Media, September 21, 2009

According to the interim final rule, the important questions are:

In whose hands did the PHI land?

Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?

Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?

In certain cases, if the information includes only a patient's name and the fact they've had services at the hospital, that's no harm, no breach. But what if the information includes the patient's oncology treatments? Lots of potential harm there. And that's a breach.

On Day 1 of the conference Wednesday, HealthLeaders Media asked David Blumenthal, MD, MPH, national coordinator for HHS' Health Information Technology, whether the government is concerned about the harm threshold's subjective nature.

Blumenthal deferred the question to the OCR office, but said, "We know there is a balance between practicality and protection in that regard."

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, told HealthLeaders Media that facilities must conduct a risk assessment to determine harm.

Ruelas presented on breach notification on Day 1 of the HIPAA Summit.

"It is certainly reasonable to conclude that given the requirement to document its risk assessment with respect to this harm threshold, each covered entity will likely adopt its own unique perspective on the level of risk it would assign," Ruelas said in an e-mail to HealthLeaders Media Monday. "This same uniqueness will also likely be one determinant on how the same type of incident might be rated differently across the covered entity community."

Ruelas says a risk assessment is "vital so that breach notifications are triggered appropriately. It is the variability of how these risk assessments will be done which is what is drawing my attention. Without clear guidance or a tool to use, each covered entity is left to its own devices."

Dom Nicastro is a senior managing editor at HCPro, Inc. in Danvers, MA. He edits the Briefings on HIPAA newsletter and manages the HIPAA Update Blog. E-mail him at dnicastro@hcpro.com.

1 | 2

RSS

Archive

Be the first to make a comment

CDPH Data Breach Affects 9,000 State Workers

For the second time in just over six months, officials at the California Department of Public Health have acknowledged a major breach of health and personal information from within their own agency.

Security Breach Puts 500,000 BlueCross Members' Data at Risk

The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states, the insurer...

Flurry of HIPAA Activity Expected Over Next Three Months

The Office for Civil Rights in all likelihood will publish a draft or interim final rule outlining the new requirements for composing and updating business associate contracts in February, the same month BAs...

go to complete list