• House Leaders Seek Revision of HIPAA's Breach Notification Rules
  • October 14, 2009 | Author: Kerrie S. Howze
  • Law Firm: King & Spalding LLP - Atlanta Office
  • Energy and Commerce Chairman Henry A. Waxman (D-Calif.) and Ways and Means Chairman Charles B. Rangel (D-N.Y.) are urging the U.S. Department of Health and Human Services (HHS) to revise or repeal the “harm” provision in the recently published breach notification rules, which require entities covered under the Health Insurance Portability and Accountability Act (Pub. L. No. 104-191) to notify affected individuals and HHS of breaches of unsecured protected health information (PHI). Under the rules, a HIPAA covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as the result of a breach. In addition, the covered entity must notify HHS. If a breach affects 500 or more individuals, the covered entity must provide HHS with notice of the breach no later than 60 days from discovery or the breach; if a breach affects fewer than 500 individuals, the covered entity must provide annual notice. However, a “harm” provision exempts a covered entity from these notification requirements in situations where the covered entity determines that no harm was done to individuals whose health information was affected by the breach.

    In the preamble to the rule, HHS explained that many commenters had urged the addition of a harm threshold to the rule because: (1) it would align the regulation with many state law breach notification requirements that require entities to perform some level of risk assessment to determine if there is a risk of harm to the individual because of the breach; and (2) the notice to the individuals would be more meaningful because such individuals would not be flooded with notices for breaches that pose no threat to the security or privacy of PHI. HHS agreed with the commenters and incorporated a harm threshold in the definition of breach. Under the definition, unpermitted access, use, or disclosure of PHI is a “breach” only if it compromises the security or privacy of the PHI, which means that it poses a significant risk of financial, reputational, or other harm to the individual.

    In their letter to Secretary Kathleen Sebelius, however, Representatives Waxman and Rangel explained that exempting data breaches that do not result in harm to individuals contradicts congressional intent. According to the letter, “Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities particularly with regard to determining something as subjective as harm from the release of sensitive [PHI].” Instead, Committee members intended the standard to be “black and white” to incentivize health care entities to protect data through strong encryption or destruction methodologies, and to allow individuals to assess the level of unauthorized uses or disclosures of their PHI. The current language and interpretation of the interim final rule undermines these goals, according to Representatives Waxman and Rangel, and they therefore are urging HHS to revise or repeal the harm standard provision as soon as possible. HHS is accepting comments on the rules until October 23, 2009.