Congress and HHS continue to disagree on health data breach disclosure rules

The new federal health information data breach disclosure rules went into effect in September, but as HHS works on finalizing another set of HIPAA rule changes (this time about penalties for HIPAA violations), Mitch Wagner of Information Week notes that Congress and the administration are still arguing about the subjective “harm” threshold that HHS inserted into the breach disclosure law, as seen in a letter from six Congressmen to HHS Secretary Kathleen Sibelius. This provision gives entities who suffer a data loss or theft the option of not reporting the disclosure, if the entity believes no harm will occur to individuals because of the breach. We’re with Congress on this one. Requirements like accounting of disclosures, which apply both to health information under HIPAA and government information like IRS tax records, don’t have these sorts of exceptions (HIPAA accounting used to be waived for routine disclosures in the course of treatment or normal business operations, but the HITECH Act changed that and now all disclosures must be recorded). The biggest problem is with the subjectivity (and that fact that the subjective decision is in the hands of the breach sufferer). Is “harm” intended to mean actual financial harm? Identity theft? Embarrassment? Nothing in the rules provides any guidance on this. Perhaps had these rules been in place, the public would not have heard about the UCLA Medical Center staff members who viewed Britney Spears medical records; it would seem they were driven only by celebrity curiosity, rather than a desire to use the information they saw for any particular purpose, so did that cause “harm” to Spears or not, particularly if she didn’t know about it? HHS has acknowledged that it chose to deviate from the wording of the law in the HITECH Act and added the no-harm exception in response to multiple comments it received on the draft version of the breach notification rules. It’s not hard to imagine the organizations that were the source of these comments, given that the final rule now delegates to HIPAA-covered entities and business associates the responsibility for determining whether a loss of health information is significant or not.