HHS rethinks final rule on privacy breach notifications
HHS withdraws final rule for more consideration
HHS last week withdrew a proposed final version of a federal rule that requires hospitals, physicians, health plans and other specified handlers of patient health records to notify patients if their personally identifiable health information is exposed by a data security breach.
In a notice posted on its website, HHS said it was withdrawing the final breach-notification rule from review by the Office of Management and Budget “to allow for further consideration, given the department’s experience to date in administering the regulations.” The final rule had never been published.
However, the withdrawal does not affect the interim final rule on breach notification that went into effect last fall, according to Susan McAndrew, deputy director for health information privacy in HHS’ Office for Civil Rights. The interim final rule “remains in full force and effect,” McAndrew said in an e-mail.
The Civil Rights Office has enforcement authority for privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.
A new, federal breach-notification requirement was among a number of more stringent health information technology privacy and security provisions of the American Recovery and Reinvestment Act of 2009. On Aug. 24, 2009, HHS published an interim final rule on breach notification, which became effective Sept. 30, 2009. Since then, more than 100 organizations that exposed the protected healthcare information of 500 or more people have posted information about