Technology
IT e-Newsletter
Blogs
Industry Surveys
Breakthroughs Reports
Events
Sponsored
Departments Add News Widget

Congressmen Want HIPAA Harm Threshold Eliminated

Dom Nicastro, for HealthLeaders Media, October 9, 2009

Covered entities and BAs may get off the hook on some breaches with good reason. But at other times the harm threshold may lead them down the wrong road, misjudging or underrating the impact of the breach.

Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, says, "The bad news from a privacy compliance perspective is that while the harm threshold approach requires organizations to perform and document a risk assessment in every instance, introducing the concept of a subjective harm threshold can be seen as a big loophole that some organizations will stretch."

The letter to Sebelius was signed by:

Henry A. Waxman (D-CA)
Chairman
Committee on Energy and Commerce

Charles B. Rangel (D-NY)
Chairman
Committee on Ways and Means

John D. Dingell (D-MI)
Chairman Emeritus
Committee on Energy and Finance

Frank Pallone Jr. (D-NJ)
Chairman
Subcommittee on Health Committee and Energy and Commerce

Pete Fortney Stark (D-CA)
Chairman
Subcommittee on Health
Committee on Ways and Means

Joe Barton (R-TX)
Ranking Member
Committee on Energy and Commerce

Dom Nicastro is a senior managing editor at HCPro, Inc. in Marblehead, MA. He edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. E-mail him at dnicastro@hcpro.com.
4 comments on "Congressmen Want HIPAA Harm Threshold Eliminated"


John (10/19/2009 at 5:43 PM)
I agree with the first comment. The premium is on the security and integrity of the data itself, not the harm it may, or may not cause, if breached. I believe this is the true intent of the law. Leaving the decision of harm assessment to BAs and CEs is simply not consistent with patient's rights to privacy. Either you take the safeguards necessary to ensure, to the best of your ability, the security of the health data you have been charged to manage, or you don't. If you are found not to have done so, then you should be penalized. Why wait for harm? Strong standards, if followed and enforced, reducing the likelihood of breach, makes far more sense.

HLGCDT (10/13/2009 at 12:54 PM)
The Center for Democracy & Technology wrote an article on how the HHS' new "harm standard" for breach notification undermines transparency and patient privacy. That article can be found here: http://blog.cdt.org/2009/09/11/hhs%E2%80%99-new-harm-standard-for-breach-notification/ Instead of the "harm standard", whether health information has been compromised should be determined by an assessment of the risk that the data has been or will be inappropriately acquired, viewed or used. This "acquisition-based" risk assessment is more aligned with Congressional intent than the "harm-based" risk assessment. Focusing on the likelihood of acquisition removes the subjectivity from the harm standard, preserves the incentives for health care companies to protect data, reduces unnecessary patient notifications, and is easier to enforce and administer. Hopefully HHS will revise the harm standard to this more appropriate approach.

JIm (10/12/2009 at 10:35 AM)
I think it is pretty simple. If the info is inadvertently sent to a BA that normally handles other PHI, they are notified promptly, and no further disclosure is made, then it is not a breach. This covers faxes sent to the wrong doc, insurance billing errors, etc. If the PHI is released to a non BA entity, like the individual who received the information for another patient then this would be a breach. By requiring all inadvertent disclosures to be treated as breaches, the real effect is to diminish the law as everyone will be overwhelmed with disclosure notifications that will just waste every ones time. It's like the warnings that are on everything you buy. No one reads them as are so verbose and just contain information that any reasonable person would know.