In that regulation, published in the Federal Register August 24, 2009, many commenters suggested OCR add a "harm threshold such that an unauthorized use or disclosure of [personal health information] is considered a breach only if the use or disclosure poses some harm to the individual."
Today, one year later, that rule is in effect, but on an interim basis. OCR submitted a final rule on breach notification for review by the Office of Management and Budget (OMB) but withdrew it earlier this month.
OCR did not specify why it withdrew the final rule, but some speculate OCR may remove the "harm threshold" and be more like California, where all breaches are reported.
Of those 3,766 breaches reported in the Golden State, California's investigations team has completed reviews of 1,953. It found that 98.7% of those breaches were found to be "substantiated medical breaches."
One California attorney says a harm threshold would help avoid the need to report innocuous breaches such as a fax going to the wrong provider.
"You add a huge expense and worry people" by reporting harmless breaches, said Paul Smith, partner with Davis Wright Tremaine LLP of San Francisco and co-chair of its health information privacy practice.
Most healthcare entities handle breaches in a "conscientious" way, Smith says.
"They understand that if there is a risk to the patient, it's in everyone's interests to provide notification."
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, agrees that sending notification upon notification can unnecessarily panic people "who really are at no risk of harm." "Secondly," he says, "getting breach notifications every time a truly low-risk potential disclosure occurs will result in 'warning fatigue.'"
It's like the boy who cried wolf, and "people will ignore notices they get when there really is something to worry about," says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference, "HIPAA's New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations."