Breach notification final rule withdrawn from OMB review - Health IT Pulse
Health IT and Electronic Health Activate your FREE membership today |  Log-in
Home > IT Blogs > Health IT Pulse > Breach notification final rule withdrawn from OMB review
>>VIEW ALL POSTS  

Health IT Pulse

« New AHRQ site provides publications, resources on medical home model
New Intel, GE Healthcare company to focus on in-home telehealth »
Jul 30 2010   12:31PM GMT


Breach notification final rule withdrawn from OMB review



Posted by: Brian Eastwood
breach notification, HIPAA violations

Health care officials have been waiting months for federal officials to finalize the breach notification final rule. That wait will continue, though it won’t impact the way providers do business.

The Department of Health & Human Services (HHS) said today that it is withdrawing the final rule from review by the Office of Management and Budget (OMB). According to a brief statement, HHS wants to give breach notification further consideration and intends to publish a final rule in the Federal Register “in the coming months.”

The interim final rule for data breach notification was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act’s update to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HITECH Act gives the Office for Civil Rights the power to levy hefty penalties on organizations — and business associates, who are now covered entities under HIPAA — who fall victim to a data breach.

Since going into effect last September, the interim final rule has, not surprisingly, resulted in additional data breach notifications. However, members of Congress took umbrage with the interim final rule’s material harm threshold, which, they said, was not in the spirit of the HITECH Act. (This means that providers must notify patients about a data breach if the providers determine that the breach results in material harm.) Ultimately, that’s why the rule was withdrawn from OMB review, Modern Healthcare reports (registration required).

The rule is still in effect, though, as its withdrawal does not mean that providers no longer have to abide by it. Whether the harm threshold will change remains to be seen. Stay tuned.

AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

Beastwood  |   Aug 3 2010   1:27PM GMT

Additional coverage of the breach notification rule withdrawal has emerged since Friday. Here’s a quick roundup:

    Healthcare IT News speaks to the organization Patient Privacy Rights, which had likened the harm threshold to “letting the fox guard the hen house” and was pleased to see it being reconsidered.
    HealthLeaders Media asks if the OMB if the withdrawal was directly related to Congressional opposition to the harm threshold and receives a “No comment.”
    In a related story, eWEEK notes that there have been data breaches at 113 health care organizations so far in 2010. This compares to only 38 financial institutions and suggests that banks are far better at monitoring database activity.