Skip Navigation

HHS Lowers the Bar for Data Breach Notification

Bookmark and Share

Last week, the Department of Health and Human Services (HHS) withdrew a ruling made in April 2009 that many felt contradicted Congress’s intent when it passed ARRA/HITECH in the face of mounting pressure to do so.

Originally, the language in the HITECH amendment to HIPAA indicated the health information data breach notification would occur regardless of the “risk of harm,” meaning that the notification had to happen, even if the covered entity determined that the breach could cause no harm.  However, when HHS issued their notification guidance a year ago April, they included a “risk of harm” provision, which allowed covered entities to decide for themselves whether or not there was a risk of harm.

Opponents to this position said that not only did the HHS ruling contradict Congress’s original intent, but it also put the “fox in charge of guarding the hen house.” 

The final HHS position on the issue of a “risk of harm” threshold for data breach notification won’t be clear until the department issues their revised position.  Most data protection analysts, however, seem to believe that there will be no “risk of harm” loophole, and significantly raising the liability on covered entities as well as business associates.

It should be noted that most state data breach notification laws do have a “risk of harm” provision.  Not having one was one of the major differences between HITECH and state laws.  It should also be noted that only two states, Arkansas and California, cover health information in their data breach laws. 

This move by HHS has little impact or connection to the recently released Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (HITECH) (see article below FREE HIPAA MODIFICATIONS WEBINAR).

Full Article