Skip to main content

Congressmen Want HIPAA Harm Threshold Eliminated

 |  By HealthLeaders Media Staff  
   October 09, 2009

Six members of the House of Representatives signed a letter written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS' interim final rule on breach notification.

The rule was published in the Federal Register August 24 and took effect September 23.

HHS added a provision that says an unauthorized use or disclosure of PHI is considered a breach only if the use or disclosure poses some harm to the individual. Part of the goal is to eliminate notification on incidental breaches, such as a fax to the wrong department within an organization.

The Congressmen, all but one of whom are Democrats, wrote they are "deeply concerned" about the harm provision because it gives covered entities and business associates (BAs) a "breadth of discretion" as they determine the level of harm to an individual whose PHI was inappropriately disclosed.

Congress explicitly rejected a harm standard when it crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.

Prior to ARRA becoming law, the Committee on Energy and Commerce proposed a similar definition of a breach. It required patients to be notified if the unauthorized use of PHI could "reasonably result in substantial harm, embarrassment, inconvenience or unfairness to the individual," according to the letter to Sebelius.

However, Congress rejected and passed a "black and white" standard on breach notification that "makes implementation and enforcement simpler," the Congressmen wrote.

The legislation includes a "safe harbor for information that is rendered unusable, unreadable, or indecipherable to unauthorized individuals, and other specific exceptions," the letter continued. "The primary purpose for mandatory breach notification is to provide incentives for healthcare entities to protect data, such as through strong encryption or destruction methodologies, and to allow individuals to assess the level of unauthorized use or disclosure of their information."

Chris Simons, RHIA, director of UM & HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME, says the harm threshold provision in the interim final rule leaves the rule "nowhere near as strict as I was expecting."

"Privacy officers should be breathing a sigh of relief that those faxes sent by mistake to one doctor instead of another, for instance, will not be required to be reported," Simons adds.

Covered entities and BAs may get off the hook on some breaches with good reason. But at other times the harm threshold may lead them down the wrong road, misjudging or underrating the impact of the breach.

Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, says, "The bad news from a privacy compliance perspective is that while the harm threshold approach requires organizations to perform and document a risk assessment in every instance, introducing the concept of a subjective harm threshold can be seen as a big loophole that some organizations will stretch."

The letter to Sebelius was signed by:

Henry A. Waxman (D-CA)
Chairman
Committee on Energy and Commerce

Charles B. Rangel (D-NY)
Chairman
Committee on Ways and Means

John D. Dingell (D-MI)
Chairman Emeritus
Committee on Energy and Finance

Frank Pallone Jr. (D-NJ)
Chairman
Subcommittee on Health Committee and Energy and Commerce

Pete Fortney Stark (D-CA)
Chairman
Subcommittee on Health
Committee on Ways and Means

Joe Barton (R-TX)
Ranking Member
Committee on Energy and Commerce

Tagged Under:


Get the latest on healthcare leadership in your inbox.