HHS Withdraws Breach Notification Rule From Review
The U.S. Department of Health and Human Services (HHS) announced July 29 that it is temporarily withdrawing the Breach Notification for Unsecured Protected Health Information final rule from administrative review. “Given the Department’s experience to date in administering the regulations,” HHS said, further consideration has been deemed necessary.
The additional time will allow HHS to consider one regulation in the rule in particular. According to ModernHealthcare.com, six members of the House of Representatives, led by Energy and Commerce Committee Chairman Rep. Henry Waxman (D-Calif.) and the committee’s ranking member, Rep. Joe Barton (R-Texas) wrote a letter to HHS Secretary Kathleen Sebelius asking HHS to “revise or repeal” the section in the rule that requires health care providers, researchers and information analysts and their business associates involved to perform a risk assessment in the event of a breach and determine the extent of harm done to persons whose records have been breached.
Congressional leaders say they have considered and rejected a harm standard in legislative deliberations and that it would not be “consistent with congressional intent” for HHS to insert such a requirement in the rule, ModernHealthcare.com reports.
The Breach Notification final rule also implements a provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act that requires health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to promptly notify individuals when their health information is breached in cases where a breach affects more than 500 individuals.
Breach notification regulations as written in a proposed rule issued Aug. 24, 2009 have been in effect since Sept. 23, 2009. HHS submitted a final rule for review to the Office of Management and Budget (OMB) May 14.
While HHS reconsiders the final rule, the interim final rule “remains in full force and effect,” Susan McAndrew, deputy director for health information privacy in the Office for Civil Rights at HHS told ModernHealthcare.com in an e-mail.
HHS says it intends to publish a final rule in the Federal Register in coming months.