Archive for October, 2009
No major changes to HITECH enforcement. Just some slight language changes.
The interim final rule becomes effective November 30. HHS has invited public comments on the interim final rule, which will be considered if received by December 29.
Q: Is a business associate (BA) that discovers a breach ever responsible for notifying the individual(s) affected, media outlets, or HHS? Or does the BA only have to notify the covered entity (CE)?
3. I don’t know
To submit your answer, go to “Quick Poll” at HCPro’s Corporate Compliance Web site.
Throw in some more rhetoric in support of HHS eliminating its “harm threshold” from its interim final rule on breach notification. This time, it’s the consumer advocacy group Consumer Watchdog, which says in a letter to HHS:
Inexplicably, and flouting Congressional intent, the Department of Health and Human Services has introduced a “harm” standard before breach notification is required. You have decided to interpret “compromises the security” of data to include a substantial harm standard. Under the HHS interpretation, if the breaching entity decides there is no significant risk of financial, reputation or other harm to the individual, the provider or health insurer never has to disclose that the sensitive information was used or disclosed in violation of the federal privacy rule.
In other words, the company responsible for protecting the sensitive data gets to decide if it needs to bother to tell anyone that sensitive health data was breached. This is simply outrageous.
It is even more troublesome when one recalls that the House Committee on Energy and Commerce considered a similar “harm” standard during discussions of health and information technology legislation in May 2008. Committee members considered public comments and practices of various states; they explicitly rejected a “harm” standard.