California, the state that signed a precedent-setting privacy law, fields more than 220 notifications of potential breaches from licensed facilities per month, according to numbers released by the state’s Department of Public Health.
From January 1, 2009, when law AB 211 went into effect, through May 31, 2010, entities have reported a total of 3,766 breaches. The law calls for health providers to prevent unlawful access, use, or disclosure of patients’ medical information and to report violations to DPH and the individuals affected.
The California Department of Public Health (CDPH), which enforces the law, receives notification of a little more than seven breaches a day. While California law calls for licensed entities to report any and all potential breaches, federal regulation currently allows providers a backdoor out.
In the HITECH interim final rule  on breach notification, providers through the “harm threshold” provision may conduct a risk assessment to see if the potential breach causes a significant risk of financial, reputational or other harm to the patient.
If it doesn’t, no notification is required.
Congress did not write this into the HITECH Act. But the Office for Civil Rights (OCR), which on the federal level enforces the HIPAA privacy and security rules, included it through regulation.
In that regulation, published in the Federal Register August 24, 2009, many commenters suggested OCR add a “harm threshold such that an unauthorized use or disclosure of [personal health information] is considered a breach only if the use or disclosure poses some harm to the individual.”
Today, one year later, that rule is in effect, but on an interim basis. OCR submitted a final rule on breach notification for review by the Office of Management and Budget (OMB) but withdrew it  earlier this month.
OCR did not specify why it withdrew the final rule, but some speculate OCR may remove the “harm threshold” and be more like California, where all breaches are reported.
Of those 3,766 breaches reported in the Golden State, California’s investigations team has completed reviews of 1,953. It found that 98.7% of those breaches were found to be “substantiated medical breaches.”
One California attorney says a harm threshold would help avoid the need to report innocuous breaches such as a fax going to the wrong provider.
“You add a huge expense and worry people” by reporting harmless breaches, said Paul Smith, partner with Davis Wright Tremaine LLP of San Francisco and co-chair of its health information privacy practice.
Most healthcare entities handle breaches in a “conscientious” way, Smith says.
“They understand that if there is a risk to the patient, it’s in everyone’s interests to provide notification.”
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, agrees that sending notification upon notification can unnecessarily panic people “who really are at no risk of harm.” “Secondly,” he says, “getting breach notifications every time a truly low-risk potential disclosure occurs will result in ‘warning fatigue.'”
It’s like the boy who cried wolf, and “people will ignore notices they get when there really is something to worry about,” says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference , “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations.”
“Some things we do out of an abundance of caution, because there’s really little or no downside to doing so,” Drummond adds. “Here, there really is a potential downside for giving warnings that aren’t really necessary.”
However, Drummond said he would not be surprised if the harm threshold were eliminated because Congress did not intend for it to be included in the final breach notification structure.
According to the interim final rule, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
- In whose hands did the PHI land?
- Can the information disclosed cause “significant risk of financial, reputational, or other harm to the individual”?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer’s data was not accessed?
When asked this week by HIPAA Update if it were considering removing the harm threshold, OCR deferred to its earlier statement  posted on its website.
“This is a complex issue, and the administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” OCR said of its reason to further review the breach notification final rule.
California, meanwhile, continues to operate without a harm threshold and as of May 31, the state has been able to investigate 51.8 percent of the cases reported.
The reported breaches break down as such:
- 2,914: Unintentional breach to person outside facility/healthcare system. Example: A patient’s prescription is faxed to the wrong number and ends up in a lawyer’s office instead of the corner pharmacy.
- 559: Unintentional breach by healthcare worker within the facility/healthcare system. Example: A nurse faxes a patient record to cardiology instead of radiology.
- 147: Malicious breach by healthcare worker. A healthcare worker looks at the medical record of a patient without any medical reason to do so.
- 125: Breach of computer system theft, loss of electronic device/ medical records. Example: A hospital laptop is stolen from an employee’s personal car.
- 21: Malicious breach by person other than a healthcare worker. Example: Someone visiting the hospital sees a medical file on a desk and decides to pick it up and start reading.