The U.S. Department of Health and Human Services (HHS) announced July 29 that it is temporarily withdrawing the Breach Notification for Unsecured Protected Health Information final rule from administrative review. “Given the Department’s experience to date in administering the regulations,” HHS said, further consideration has been deemed necessary. 

The additional time will allow HHS to consider one regulation in the rule in particular. According to ModernHealthcare.com, six members of the House of Representatives, led by Energy and Commerce Committee Chairman Rep. Henry Waxman (D-Calif.) and the committee’s ranking member, Rep. Joe Barton (R-Texas) wrote a letter to HHS Secretary Kathleen Sebelius asking HHS to “revise or repeal” the section in the rule that requires health care providers, researchers and information analysts and their business associates involved to perform a risk assessment in the event of a breach and determine the extent of harm done to persons whose records have been breached.

Congressional leaders say they have considered and rejected a harm standard in legislative deliberations and that it would not be “consistent with congressional intent” for HHS to insert such a requirement in the rule, ModernHealthcare.com reports.

The Breach Notification final rule also implements a provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act that requires health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to promptly notify individuals when their health information is breached in cases where a breach affects more than 500 individuals.

Breach notification regulations as written in a proposed rule issued Aug. 24, 2009 have been in effect since Sept. 23, 2009. HHS submitted a final rule for review to the Office of Management and Budget (OMB) May 14.

While HHS reconsiders the final rule, the interim final rule “remains in full force and effect,” Susan McAndrew, deputy director for health information privacy in the Office for Civil Rights at HHS told ModernHealthcare.com in an e-mail.

HHS says it intends to publish a final rule in the Federal Register in coming months.

5 Responses to “HHS Withdraws Breach Notification Rule From Review”

1. Stephanie Jones Says:
   August 4th, 2010 at 10:47 am

   I have recently discovered that my insurance contract number was provided to my step-daughter’s mother on a bill sent to her by Lapeer Regional Medical Center. This, after I specifically told the hospital that the relationship between myself, my husband, and my step-daughter’s mother is extremely poor. When I confronted the Privacy Officer for this facility, he first told me that the mother has a right to my information (incorrect), and then backed down, stating that he would get with his billing department to determine how he could prevent it from happening in the future. A simple “Sorry” was all I got from him. He promised to get with his billing department that day, and call me back. It was two weeks when I finally made the call back to him. He stated there was no way, with the computer system they have in place, that my information would not be sent to my step-daughter’s mother on their system. Supposedly the system they are going to install in December will address this issue…however obviously this does not solve my problem.

2. Stephanie Jones Says:
   August 4th, 2010 at 10:55 am

   I have had to spend hours on the phone with my BCN insurance, trying to put in place a password so that when somebody calls their customer service line, if the person does not give this password, BCN can not speak to that person. However BCN is telling me they are not sure if they can do this. My request is in their legal department as we speak. BCN’s automated service asks for the contract number, the address, the zip code, the date of birth, and finally the customer service person asks for the caller’s first name. My step-daughter’s mother (and actually both of my step-daughter’s mothers, as the have now become best friends) can call BCN at any time to talk to someone about making changes to my policy. I have to call weekly, and document on my own, the date & time & whom I spoke to, to ensure my information has not been tampered with. Yet this hospital will get away with this, because I have no money to hire a lawyer, nor do I know whom to report this to, to ensure others do not have the same problem with this facility. I can not be the only step-mother in this country that has a less-than-amicable relationship with their step-children’s parents. I am a medical coder, and therefore understand the HIPPA law a bit better than your average person. I do agree that some type of penaly should be enforced if a patient’s, or the patient’s policy holder (in this case, me) information is released without consent. I did not consent for this information to be released to my step-daughter’s mother, yet I am the one who must withstand all the issues that come with Lapeer Regional Medical Center’s lack of confidentiality.

3. Sally Says:
   August 4th, 2010 at 12:41 pm

   Stephanie ~
   You should file a HIPAA complaint through The Office of Civil Rights. You can do it on-line. Trust me they will investigate it and fix it. They really mean business. They will want names and a complete story with dates. They will fix the problem once they hear from OCR. Good luck to you.

4. Mike D Says:
   August 4th, 2010 at 12:42 pm

   So far, my private financial information has been compromised thru a college where I teach at, one of my credit card holders and my mortgage company…Nothing happened to any of these entities for allowoing breaches to occur. I find it very interesting and frustrating that Healthcare providers are being held to a standard that no one else is.

5. MichaelM Says:
   August 4th, 2010 at 3:21 pm

   Stephanie:

   To the extent that your insurance contract number is considered PHI, complain to OCR. If you can verify that they have actually disclosed information by having insufficient systems to verify the identity of the caller, then OCR can handle that is well. If no PHI is being disclosed and their system defects simply permit a third party to change your insurance, OCR has no authority there. I would look to the state insurance commissioner to handle that one.

Add a Comment

Name (required)

Email Address (will not be published) (required)

Attention: AAPC does not regularly monitor comments posted here. For customer service issues, contact us. In addition, we recommend posting your questions to the AAPC forums.

CAPTCHA Code *