On July 28, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that it withdrew the draft of the final rule for HIPAA breach notification that it had submitted in May to the Office of Management and Budget (OMB) for review.  The possible reasons for such withdrawal will be discussed below, but covered entities should note that the obligation to report breaches of unsecured protected health information (PHI), which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), remains in effect.  All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.

The reason stated by OCR for withdrawal of the draft final breach notification rule was to “allow for further consideration, given the Department’s experience to date in administering the regulations.”  However, since publication of the Interim Final Rule, several members of Congress and privacy advocates expressed concerns about the rule’s so-called risk of harm provisions, perhaps creating pressure on HHS/OCR to evaluate crafting a more stringent final rule.

Under the HITECH Act, covered entities must notify individuals and HHS of any unauthorized acquisition, access, use, or disclosure of the individuals’ unsecured PHI which “compromises the security or privacy of such information.”  HITECH Act, § 13400.  The breach notification law applies to PHI in any format or media, including written or electronic PHI.   When issuing the Interim Final Rule for breach notification last year, HHS interpreted the HITECH Act to require notification of breach only if a covered entity determined that the violation or breach poses a “significant risk of financial, reputational or other harm to the individual.”  45 C.F.R. § 164.402(1)(i).  The preamble to the Interim Final Rule states that notification may not be required if a covered entity, such as a hospital or insurer, determines, after a risk assessment, that the individual whose PHI was accessed, used or disclosed will not be harmed.  See 75 Fed. Reg. 42740, 42744 (August 24, 2009).

According to a recent article in the New York Times, several members of Congress, along with privacy rights groups, have expressed strong opposition to the risk of harm standard under the Interim Final Rule.  See Robert Pear, “Tighter Medical Privacy Rules Sought”, New York Times, http://www.nytimes.com/2010/08/23/health/policy/23 privacy.html (last visited August 30, 2010).  Specifically, the New York Times article refers to a letter written by six members of Congress to HHS Secretary Kathleen Sebelius, in which representatives stated that they had explicitly considered and rejected a risk of harm standard as expressed in the Interim Final Rule.  However, HHS states that some form of risk of harm threshold under the HITECH Act breach notification requirements is needed, to avoid consumers being flooded with notices of breach involving insignificant or “innocuous” violations of privacy, according to the newspaper.   The New York Times quoted an OCR official who stated that the agency had “second thoughts” about the draft of the final rule submitted to OMB in May of this year, and withdrew the rule at the urging of the White House.  HHS/OCR hopes to issue a final HIPAA breach notification regulation sometime this Fall, according to the paper.