The Patient Privacy Rights Foundation welcomed last week’s announcement by the Department of Health and Human Services (HHS) that it was withdrawing the health data breach notification rule.
The Foundation called the withdrawal a "huge step in the right direction" and reiterated its disappointment with the 'harm threshold' provision, which allows health care providers to conduct a risk assessment of any data breach, before deciding whether it is necessary to report the breach to HHS. "The broad discretion granted to industry goes far beyond Congressional intent", read the Foundation's submission sent to HHS during the 2009 public comment period. "There was no mention of any consideration of a harm standard in HHS previous Request for Information, thus thwarting any opportunity for public debate." Several Congressmen also submitted comments to the HHS, expressing concerns over the breadth of discretion that would be given to companies, "particularly with regard to determining something as subjective as harm from the release of sensitive and personal information."
HHS is expected to publish a final rule in the Federal Register in the coming months.
Cynthia Larose is a member in Mintz Levin's Corporate Group and leads our Privacy and Security practice. She is a Certified Information Privacy Professional, working with clients in various industries to develop comprehensive information security programs on the front end, and providing timely counsel when it becomes necessary to respond to a data breach.