New, broader HIPAA breach notification rules took effect Wednesday, but several privacy groups, which pushed hard for tougher HIPAA standards in the stimulus legislation, are worried about a potential loophole. The new rules spell out procedures for notifying individuals of any unauthorized access, release or use of protected electronic personal health information, and extend notification to business associates of entities covered by HIPAA. But data stored in an encrypted format is exempt from the notification requirement, and it's only considered a breach if the disclosure poses a significant risk of financial or personal harm to an individual.
It's this "harm threshold" that has privacy advocates howling. "If a healthcare company consistently makes an error that it determines carries insignificant risk of harm to the patient, what incentive is there for the company to fix it? They never have to tell anyone unless, of course, harm actually occurs. But then it is too late," Harley Geiger, staff counsel for the Center for Democracy and Technology, an Internet privacy advocacy group, wrote on his blog.
Well-known healthcare privacy hawk Dr. Deborah Peel called the harm threshold "absurd" because no such language exists in the stimulus legislation. "It's shocking to see that the federal agency charged with protecting the public [HHS] is instead protecting private corporations against the embarrassment and bad press that would occur if they aren't protecting our health records," Peel told the federal Health IT Policy Committee last week.
For greater detail on breach notification:
- read this Federal Computer Week story
- check out this article in SC Magazine US
- peruse the HHS interim final rule on breach notification (.pdf)
- read Peel's testimony to the HIT Policy Committee (.pdf)
- see Geiger's blog post