Six members of the House of Representatives signed a letter written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS' interim final rule on breach notification.
The rule was published in the Federal Register August 24 and took effect September 23.
HHS added a provision that says an unauthorized use or disclosure of PHI is considered a breach only if the use or disclosure poses some harm to the individual. Part of the goal is to eliminate notification on incidental breaches, such as a fax to the wrong department within an organization.
The Congressmen, all but one of whom are Democrats, wrote they are "deeply concerned" about the harm provision because it gives covered entities and business associates (BAs) a "breadth of discretion" as they determine the level of harm to an individual whose PHI was inappropriately disclosed.
Congress explicitly rejected a harm standard when it crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.
Prior to ARRA becoming law, the Committee on Energy and Commerce proposed a similar definition of a breach. It required patients to be notified if the unauthorized use of PHI could "reasonably result in substantial harm, embarrassment, inconvenience or unfairness to the individual," according to the letter to Sebelius.
However, Congress rejected and passed a "black and white" standard on breach notification that "makes implementation and enforcement simpler," the Congressmen wrote.
The legislation includes a "safe harbor for information that is rendered unusable, unreadable, or indecipherable to unauthorized individuals, and other specific exceptions," the letter continued. "The primary purpose for mandatory breach notification is to provide incentives for healthcare entities to protect data, such as through strong encryption or destruction methodologies, and to allow individuals to assess the level of unauthorized use or disclosure of their information."
Chris Simons, RHIA, director of UM & HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME, says the harm threshold provision in the interim final rule leaves the rule "nowhere near as strict as I was expecting."
"Privacy officers should be breathing a sigh of relief that those faxes sent by mistake to one doctor instead of another, for instance, will not be required to be reported," Simons adds.