Consumer advocates, including Democratic lawmakers and a few Republicans, have won the battle over whether the Department of Health and Human Services should tighten up its standard for notifying patients about privacy breaches--for now. HHS will have to rewrite the privacy rules, the New York Times reports.
HHS Secretary Kathleen Sebelius issued temporary rules last August. Earlier this month--on advice from the White House--HHS quietly withdrew its final breach notification rule.
"We decided to pull it back," Georgina C. Verdugo, director of the Office for Civil Rights at the Department of Health and Human Services, told the Times. "We had second thoughts. We hope to issue a final regulation this fall."
The point of contention between consumer groups and provider representatives was the standard for notifying patients of privacy breaches. The temporary rules Sebelius submitted to the White House this spring said healthcare providers and health insurance plans had to notify patients of a privacy breach only if they found that the violation posed "a significant risk of financial, reputational or other harm to the individual."
While hospitals and insurers may be reluctant to notify patients--because publicizing a patient privacy breach could damage the institution's reputation--consumer rights advocates say the draft rules did not protect patients' rights enough. "How does a hospital or an insurance company know whether an improper disclosure will harm an employee's chances for promotion or endanger a victim of domestic abuse?" said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, a civil liberties group.
Last fall, provider groups including the American Hospital Association and the Medical Group Management Association argued that any changes would burden them with onerous reporting requirements.
To learn more:
- here's the New York Times story
Related Articles:
HHS quietly withdraws HIPAA breach-notification rule
Consumer groups, providers butt heads on 'harm standard' for breach notification
Privacy advocates slam HIPAA breach notification rules