Staying Vigilant, Covered Entities! The Interim Breach Notification Rule is Still in Effect!
Health Law Update 08/02/10 Sarah E. Coyne
It is worse than the logical reasoning questions on the Law School Admission Test (If five ducks are sitting on three lily pads, how long does it take a monkey with a wooden leg to kick the seeds out of a dill pickle?).
On July 28, 2010 the federal Department of Health and Human Services ("DHHS") gave privacy officers everywhere a fleeting moment of hope and glory by announcing the withdrawal of the final breach notification rule. Upon further scrutiny of the short and cryptic press release, the cruel cold reality set in: DHHS withdrew the final breach notification rule…but really what happened is that DHHS temporarily withdrew a nonpublished rule proposing revisions to the existing interim rule in effect. These revisions - in the form of a final rule - had been submitted for review to the Office of Management and Budget ("OMB"), and then DHHS yanked it back.
While DHHS reconsiders its revisions to the regulations, the existing regulations remain in effect. (For more information on the HIPAA breach notification regulations as they currently exist, see our August 2009 Health Law Update.) That's right folks; you need to detect, log and report your breaches just as you have been faithfully doing since (at least) February.
DHHS has been working on revisions to the breach notification regulations and had submitted revised regulations to OMB, which is the final step before final publication of the regulations. However, citing its "experience to date in administering the regulations," DHHS decided to withdraw its revisions from OMB review, presumably to make further changes to the regulations.
What could this mean? Too many reported breaches clogging the system? The DHHS announcement offers little explanation: "This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur." Some have speculated that DHHS is considering a modification of the risk of harm standard, under which an unauthorized use or disclosure of protected health information ("PHI") is not a reportable "breach" if it does not "pose a significant risk of financial, reputational, or other harm" to individuals whose PHI was used or disclosed. In a letter to DHHS Secretary Kathleen Sebelius after the breach notification regulations were released, several legislators called for a revision or repeal of the risk of harm standard as inconsistent with congressional intent.
So keep using your audit software and your breach notification policy, and keep trying to figure out how to encrypt (and thus secure) data at rest. When you do figure that out, please call the authors of this update and explain it to them. Meanwhile, we will all wait for a new and improved final rule while we continue to diligently follow the interim rule. More
For more details or if you have any questions, please contact Sarah Coyne at (608) 283-2435 / firstname.lastname@example.org, or your Quarles & Brady attorney.