HHS Delays Review of Final HIPAA Breach Notification Rule
The Department of Health and Human Services (“HHS”) has delayed release of the breach notification regulations that covered entities and business associates must adhere to in the event of improper disclosures of protected health information (PHI).
Pursuant to last year’s Health Information Technology for Economic and Clinical Health Act (HITECH), HHS was required to develop regulations governing how covered entities and business associates are required to respond in the event patient PHI is stolen, leaked, or otherwise improperly disclosed. HHS issued an interim final rule on August 24, 2009, which became effective on September 23, 2009. The interim final rule sets out the breach notification standards, such as how to identify if a breach has occurred; who must be notified in the event of a breach; and the manner in which notification must occur.
During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments. After review of the comments, HHS developed a final rule, which was submitted to the Office of Management and Budget (OMB) for regulatory review on May 14, 2010. However, on Friday HHS withdrew the final rule from OMB review. While the scope of the changes HHS intends to make is unclear (the final rule was not published before the retraction), it appears that the Final Rule may include even stricter breach notification guidelines.
“This is a complex issue and the Administration is committed to ensuring that individuals health information is secured to the extent possible to avoid unauthorized uses and discloses, and that individuals are appropriately notified when incidents do occur,” the OCR announcement stated.
Health care providers should take note that the interim final rule, which took effect September of 2009, remains in effect while the details of the final rule are being developed.
The decision to pull the final rule from OBM review follows last week’s announcement that Rite-Aid Corporation and its 40 affiliated entities will pay $1 million to settle potential privacy disclosure allegations with HHS. The allegations arose after pharmacy videotapes surfaced showing that Rite Aid pharmacies disposed of prescriptions and bottle labels containing PHI in industrial trash containers that were accessible to the public.
