HHS re­thinks fi­nal rule on pri­vacy breach no­ti­fi­ca­tions

HHS with­draws fi­nal rule for more con­sid­er­a­tion

Modern Healthcare - - News - Joseph Conn

HHS last week with­drew a pro­posed fi­nal ver­sion of a fed­eral rule that re­quires hos­pi­tals, physi­cians, health plans and other spec­i­fied han­dlers of pa­tient health records to no­tify pa­tients if their per­son­ally iden­ti­fi­able health in­for­ma­tion is ex­posed by a data se­cu­rity breach.

In a no­tice posted on its web­site, HHS said it was with­draw­ing the fi­nal breach-no­ti­fi­ca­tion rule from re­view by the Of­fice of Man­age­ment and Bud­get “to al­low for fur­ther con­sid­er­a­tion, given the depart­ment’s ex­pe­ri­ence to date in ad­min­is­ter­ing the reg­u­la­tions.” The fi­nal rule had never been pub­lished.

How­ever, the with­drawal does not af­fect the in­terim fi­nal rule on breach no­ti­fi­ca­tion that went into ef­fect last fall, ac­cord­ing to Su­san McAn­drew, deputy di­rec­tor for health in­for­ma­tion pri­vacy in HHS’ Of­fice for Civil Rights. The in­terim fi­nal rule “re­mains in full force and ef­fect,” McAn­drew said in an e-mail.

The Civil Rights Of­fice has en­force­ment author­ity for pri­vacy and se­cu­rity rules un­der the Health In­surance Porta­bil­ity and Ac­count­abil­ity Act of 1996.

A new, fed­eral breach-no­ti­fi­ca­tion re­quire­ment was among a num­ber of more strin­gent health in­for­ma­tion technology pri­vacy and se­cu­rity pro­vi­sions of the Amer­i­can Re­cov­ery and Rein­vest­ment Act of 2009. On Aug. 24, 2009, HHS pub­lished an in­terim fi­nal rule on breach no­ti­fi­ca­tion, which be­came ef­fec­tive Sept. 30, 2009. Since then, more than 100 or­ga­ni­za­tions that ex­posed the pro­tected health­care in­for­ma­tion of 500 or more peo­ple have posted in­for­ma­tion about

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.