Agency's Withdrawal of HIPAA Security Breach Notification Regulations Creates Uncertainty for Employers and Health Care Providers
In a two-paragraph press release recently posted on its website, the U.S. Department of Health and Human Services (HHS) announced the withdrawal of its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The interim final regulations construed the security breach notification provisions contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA effective February 17, 2010. The agency’s action could have significant implications for employers and health care providers and puts them in limbo until new regulations are published when responding to a security incident involving PHI.
In its press release, HHS cryptically explains that the agency withdrew the regulations “to allow for further consideration, given the Department’s experience to date in administering the regulations.” The agency established no deadline for issuing new regulations, stating only that it “intend[s] to publish a final rule in the Federal Register in the coming months.” The agency also provided no guidance concerning its enforcement of the HITECH Act’s security breach notification requirements — which remain in effect despite the absence of regulations — while covered entities await the final rule’s publication.
The impetus behind the HHS’s withdrawal may have been opposition from Congress and from privacy and patient advocacy groups to the “harm standard” contained in the now-withdrawn regulations. Under that standard, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it added an unwarranted gloss to the HITECH Act’s plain language and was not sufficiently protective of patients’ and plan participants’ rights.
If HHS were to eliminate the “harm standard” in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the “harm standard” could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.
The problem now for employers and health care providers during “the coming months” before HHS publishes a final rule is whether to analyze a security incident with or without a harm standard, a decision which often will be dispositive of the question whether notice will be necessary. On the one hand, HHS itself found — at least at one time — that the HITECH Act’s security breach notification requirement properly could be construed to include a harm standard, and the agency’s cryptic press release does not expressly or implicitly point to the “harm standard” as the reason for withdrawing the interim final regulations. On the other hand, the HITECH Act does not expressly include a harm standard, and given the opposition to the “harm standard,” one fairly can surmise that the final rule to be issued by HHS will not include a harm standard. At least until HHS issues additional clarification of its withdrawal or publishes the final rule, each employer and health care provider confronted by a security incident involving PHI will need to make its own judgment call on whether to ignore the harm standard and potentially “over-notify,” or to apply the standard to justify a decision not to provide notice but run the risk of an enforcement action.
This entry was written by Philip L. Gordon.