HHS' "harm threshold" standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responses, according to providers who work with privacy and security.
At the 18th annual National HIPAA Summit Friday, Judi Hofman, CAP, CHP, CHSS, privacy/information security officer for Cascade Healthcare Community at St. Charles Medical Center in Bend, OR, and Debbie Mikels, corporate manager, confidentiality for Partners Healthcare System in Boston, said the provision published August 24 in the Federal Register gives covered entities the power to prevent unnecessary notifications.
"If you flood your patients with huge concerns, you're going to open up a floodgate of problems in your organization where you really may not have had a risk to start with," Hofman said.
The panelists at the three-day seminar at the Wardman Park Hotel in Washington, DC, responded to a question from an attendee on the controversial harm threshold.
HHS says in the interim final rule that many commenters on its draft guidance in April suggested that HHS add a "harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual."
Now, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
- In whose hands did the PHI land?
- Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?
Some Congressmen disagree with the standard.
Six members of the House of Representatives signed a letter on October 1 written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS' interim final rule on breach notification.
The Congressmen, all but one of whom are Democrats, wrote they are "deeply concerned" about the harm provision because it gives covered entities and business associates (BAs) a "breadth of discretion" as they determine the level of harm to an individual whose PHI was inappropriately disclosed.
Congress explicitly rejected a harm standard when it crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.
Mikels, of Partners in Boston, said Friday her team is already prepared to conduct its harm risk assessment.
"We have to look at those harm questions," she said.
For instance:
- Was it a release that went to a person inside your organization to another person that didn't need to know?
- Does your organization have reason to believe that the PHI wasn't accessed?
"What do I think about [the harm threshold]? Again, it's a balance thing," Mikels said. "I think it makes sense to do a risk assessment. Whoever's the closest to the issue is the one who is best able to look at it and best able to figure out what happened."
Without a risk assessment and determination of harm, patients would be "inundated with so many letters that the letter of the law would be meaningless," Mikels said. "I'm kind of leaning toward I think it makes sense to do a risk analysis if we do it well and with the intent of the law. We tend to err on the side of caution and notify patients. Down the road, we wouldn't want patients to say, 'OK, my identity was stolen,' and we didn't do anything about it."
At the last HIPAA Summit—in September—Gerry Hinkley, Esq., partner and chair of HIT practice group for Davis Wright Tremaine in San Francisco, called the harm threshold a "huge weakness." He said if he's a patient, he wants to be the one determining whether information that was disclosed inappropriately could cause significant harm—and not the covered entity. Some also say it allows organizations to choose at their own discretion their own breaches.
"I don't think this is a get-out-of-jail-free card," Hofman of Cascade Healthcare Community said Friday. "With legal, compliance and with ethics, you would hope most organizations would have a higher standard of ethics, and that we'd do our best for our patients."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.