HHS withdraws final health data breach notification rule for revision

The Department of Health and Human Services (HHS) announced last week that it has withdrawn the final version of its rule on Breach Notification for Unsecured Protected Health Information, which it had submitted to OMB for review in May. HHS gave no specific reason for wanting to reconsider the rule, other than to note the complexity of the issue. The Interim Final Rule for breach notifications that went into effect last September remains in force pending further action on the final rule.

HHS did note that it received over 100 comments during the interim final rule’s 60-day comment period last fall, and there is some speculation that the decision to revise the rule again before finalizing it is due in particular to concerns over the provision that would allow entities suffering breaches to make their own subjective determination of whether the breach would result in “harm” to those whose personal data was disclosed. If an entity determined that no harm was likely to result, then the entity need not provide notification of the breach, to HHS or publicly. Shortly after the IFR was published, objections to the harm provision were raised not only by patient privacy advocates but also by members of Congress, and unless the now-withdrawn final rule was amended to strike that provision, it seems likely that addition efforts at either the federal and state level would might have been undertaken to remove this notification exception.

There is an active debate over unauthorized data disclosures and potential or actual harm to the victims of such breaches beyond the health breach disclosure context. Lawsuits filed over breaches of personal information are routinely dismissed when the parties who bring the suits are unable to demonstrate actual harm or injury has occurred, rather than that the potential for harm exists. The legal issue in these cases has little to do with privacy or, generally, with violations of breach notification laws, but with standards of civil procedure and tort liability requirements, which demand that plaintiffs be able to show actual harm in order to bring causes of action for negligence or poor security or data handling practices. Having general or domain-specific breach notification laws on the books should in theory help overcome the negligence right of action issue, but at least in the case of federal health data breaches, that will only be true if organizations responsible for data breaches can’t exempt themselves from notifications because they believe (or have no evidence) that the subjects of the breaches suffer actual harm.