Physicians won’t have to notify patients of every breach of privacy regarding their records, under a rule finalized by the Dept. of Health and Human Services.
A provision in the Breach Notification for Unsecured Protected Health Information rule allows health care organizations to self-assess the level of potential harm when a breach occurs and determine whether notification is warranted. Originally the rule indicated physicians and hospitals would have to notify patients of any kind of privacy breach, regardless of whether it caused harm.
Enforcement is expected to begin in February 2010.
The American Hospital Assn.; the Medical Group Management Assn.; and Premier Inc., an alliance of hospitals and health organizations whose members, among other things, share clinical data with each other, wrote letters to HHS Secretary Kathleen Sebelius endorsing what is called the harm threshold.
The AHA and Premier said the harm threshold is consistent with language in the Health Information Technology for Economic and Clinical Health Act, the portion of the federal stimulus bill that called for the new rules on privacy breaches. They also said it corresponds with the guidance of several federal agencies as well as some state laws addressing breaches. Those laws allow organizations to determine whether a breach could result in harm to a person’s financial well-being or reputation.
The MGMA said in its letter that allowing health organizations to assess the risk will help alleviate the administrative and financial burden of providing notification when there is no threat of harm. The group also noted that penalties for failing to notify when it is warranted will give organizations incentive to err on the side of caution and notify more often.
Two consumer groups, Consumer Watchdog and the Center for Democracy and Technology, argue that placing the onus on a breached organization to determine the level of risk and whether notification is necessary is not good policy.
"In other words, the company responsible for protecting the sensitive data gets to decide if it needs to bother to tell anyone that sensitive health data was breached. This is simply outrageous," wrote John Simpson, who drafted Consumer Watchdog’s letter to Sebelius.
The two groups joined six members of Congress who also expressed their opposition to the provision in a letter to Sebelius. They said the House Committee on Energy and Commerce considered and rejected a similar provision because of the "breadth of discretion that would be given to breaching entities."
A separate rule, which takes effect Nov. 30, substantially increases civil monetary penalties HHS can impose for violations to the Health Insurance Portability and Accountability Act. The HIPAA enforcement interim final rule establishes tiered penalties up to a maximum of $1.5 million for a violation.
Meanwhile, a survey released Oct. 15 by security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research, tried to shed some light on the problem of health records breaches.
Nearly 80% of the survey’s 542 respondents, mostly senior information technology managers at health systems, said they had experienced a security breach, with 42% reporting more than one. Of those who reported a data breach, 91% said it included electronic health information.
Survey answers were self-reported, and a breach was loosely defined as the loss of patient data. But Harry B. Rhodes, director of practice leadership for the American Health Information Management Assn., said that based on his own analyses of breach incidents provided by the Privacy Rights Clearinghouse, "it seems like it’s more of a problem with things not technical."
Incidents such as the loss or theft of computers, misplacement of memory sticks and loss of BlackBerry devices are the cause of most breaches, he said.