The Office for Civil Rights (OCR) called its withdrawal of the breach notification final rule from further review last week “routine, formal regulatory processes.”
In an e-mail to HealthLeaders Media, the HIPAA privacy and security rule enforcer says it needs further review to craft the final HITECH-required rule that sets the foundation for how covered entities and business associates (BAs) respond during a breach of unsecured protected health information (PHI).
“The final rulemaking will take into account the comments received on the interim final rule and our experiences with administering the new breach notification provisions since last September,” OCR writes in the e-mail. “These are routine, formal regulatory processes.”
OCR withdrew the rule from the hands of the Office of Management and Budget (OMB), which reviews rules for government agencies.
The breach notification interim final rule is still in effect. It was published August 24, 2009, in the Federal Register and went into effect about a month later.
The provisions in the rule include:
- Notice to patients of breaches "without reasonable delay" within 60 days
- Notice to covered entities by BAs when BAs discover a breach
- Notice to "prominent media outlets" on breaches of more than 500 individuals
- Notice to "next of kin" on breaches of patients who are deceased
- Notice to the Secretary of HHS of breaches of 500 or more without reasonable delay
- Annual notice to the Secretary of HHS of breaches of less than 500 of "unsecured PHI" that pose a significant financial risk or other harm to the individual, such as reputation
Several Congressmen objected to the breach notification interim final rule’s “harm threshold” provision, which allows covered entities to perform a risk assessment to determine the level of harm in a potential breach.
Essentially, it’s one way those entities can avoid breach notification. Congress did not write this provision into HITECH.
Asked if the withdrawal from OMB review had anything to do with the harm threshold, OCR wrote, “No further details are available at this time as the final rule withdrawn from OMB review is considered to be part of pre-decisional agency deliberations on regulations.”
OCR wrote on its website it intends to publish a final rule in the coming months.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.