About Us  |  About Cheetah®  |  Contact Us

HHS withdraws HIPAA security rules over concerns that “harm standard” was not protective enough

The Department of Health and Human Services has announced the withdrawal of its interim final regulations addressing security notification for breaches of information that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). An interim final rule under the Health Information Technology for Economic and Clinical Health (HITECH) Act was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. HHS received approximately 120 comments during the 60-day public comment period on the interim final rule. In its announcement, HHS noted that it reviewed the public comment on the interim rule and developed a final rule, which was submitted to the OMB for regulatory review on May 14, 2010. However, HHS is withdrawing the final rule from OMB review “to allow for further consideration.”

“This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” according to HHS. “We intend to publish a final rule in the Federal Register in the coming months.”

“Harm standard” controversy. Under that withdrawn rule, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it was not sufficiently protective of patients’ and plan participants’ rights.

According to Philip J. Gordon, chair of Littler Mendelson’s privacy and data protection practice group, “If HHS were to eliminate the ‘harm standard’ in its to-be-issued final regulations, the upshot for employers and health care providers would be significant, as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI.

“Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the ‘harm standard’ could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.”