Health care officials have been waiting months for federal officials to finalize the breach notification final rule. That wait will continue, though it won’t impact the way providers do business.
The Department of Health & Human Services (HHS) said today that it is withdrawing the final rule from review by the Office of Management and Budget (OMB). According to a brief statement, HHS wants to give breach notification further consideration and intends to publish a final rule in the Federal Register “in the coming months.”
The interim final rule for data breach notification was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act’s update to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HITECH Act gives the Office for Civil Rights the power to levy hefty penalties on organizations — and business associates, who are now covered entities under HIPAA — who fall victim to a data breach.
Since going into effect last September, the interim final rule has, not surprisingly, resulted in additional data breach notifications. However, members of Congress took umbrage with the interim final rule’s material harm threshold, which, they said, was not in the spirit of the HITECH Act. (This means that providers must notify patients about a data breach if the providers determine that the breach results in material harm.) Ultimately, that’s why the rule was withdrawn from OMB review, Modern Healthcare reports (registration required).
The rule is still in effect, though, as its withdrawal does not mean that providers no longer have to abide by it. Whether the harm threshold will change remains to be seen. Stay tuned.