HHS quietly withdraws HIPAA breach-notification rule

Following a firestorm of criticism from privacy advocates who say federal officials gave too much leeway to healthcare organizations that inadvertently disclose protected health information, HHS has without fanfare withdrawn its HIPAA "breach notification" final rule that had been submitted to the White House for budgetary approval.

The move was "to allow for further consideration, given the department's experience to date in administering the regulations," the HHS Office for Civil Rights posted on its website late Wednesday. "This is a complex issue and the administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," OCR explained.

HHS had submitted a final rule to the White House Office of Management and Budget on May 14, AHA News reports, but withdrew the plan citing difficulties in administering the existing interim final rule, which has been in effect since Sept. 23, 2009. HHS officials say they will publish a final rule in the Federal Register "in the coming months," but offered no specifics.

The decision thrilled the Patient Privacy Rights Foundation, headed by noted privacy watchdog Dr. Deborah Peel, which had been adamantly opposed to the so-called "harm standard."

Under the interim final rule, healthcare organizations only have to report HIPAA privacy and security breaches to OCR if the covered entity itself determined that the breach caused direct harm to the affected patients. "Put simply, the proposed final rule granted the power to decide whether to report breaches or not to the businesses that failed to protect sensitive health data, and would not want to disclose breaches," Patient Privacy Rights says in a press release. "Talk about letting the fox guard the hen house."

Several key members of Congress had opposed the "harm standard" as well.

For more information:
- see the posting on the OCR website
- read this AHA News brief
- take a look at this Patient Privacy Rights Foundation press release (.pdf)