HITECH Act Reporting Starts September 23rd
1 comment
Starting September 23, 2009, healthcare organizations covered by HIPAA and the HITECH Act will be required, in the case of data breach incidents where personal health information (PHI) is improperly exposed, to notify both the individuals affected by the breach as well as the federal government, who will post this information publicly.
The data breach notification provision was an important element of the HITECH Act which is the first federal legislation, in this case targeted at healthcare organiations, that specifies what constitutes as data breach and what notification is required for such incidents. In this case, “breach” is defined as the “unauthorized acquisition, access, use or disclosure of protected health information (PHI).”
An interesting controversy has recently surfaced in the way the Office of Health and Human Services has “interpreted” the HITECH Act breach notification provisions. The Interim Final Rule issued by HHS on August 24, 2009 has specified that a data breach incident of PHI only requires notification if the breach represents a “signficant risk of financial, reputational or other harm to the individual whose PHI has been compromised.”
In the making of this Rule, many in the industry believe that HHS has transcended congressional intent, by adding a “harm threshold” that is to be self-assessed by the organization that has caused the data breach incident.
A recent article in Computerworld titled “HHS guts health-care breach notification law, groups warn” illustrates this disconnect. It quotes Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights as saying:
“This harm requirement actually violates Congress’ intent in the stimulus bill. This is essentially an industry rewrite of the law. Given the way the law is worded, health-care organizations will have little incentive to own up to a breach involving protected health care data. This is totally for the protection of the industry. It eliminates the consumer protection that Congress intended to be built into it.” She added that her organization will be part of a “giant response” to the proposed change by national consumer protection and privacy organizations.
While the over-notification of individuals for totally benign incidents is not a positive thing, because of the level of concern and anguish that can accompany such situations, what HHS has done in terms of setting a harm threshold allowing self-assessed determination as to whether a data breach incident shoudl be reported seems to give healthcare providers more of a “get out of jail free card” when incidents occur than what was intended by those who wrote the law.
Independent of how this controvery resolves itself, there is no question that healthcare organizations, starting on September 23rd, must carry out a “risk assessment” whenever an incident occurs that could possibly breach the security and privacy of PHI that they hold. It would be advisable that such organizations have clear policies and processes for such events, and document the analysis and conclusions clearly.
