Privacy breach rules require practices to report only harm done

Health care organizations can self-assess whether a technology snafu needs to be disclosed.

By Pamela Lewis Dolan — Posted Nov. 16, 2009

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Physicians won't have to notify patients of every breach of privacy regarding their records, under a rule finalized by the Dept. of Health and Human Services.

A provision in the Breach Notification for Unsecured Protected Health Information rule allows health care organizations to self-assess the level of potential harm when a breach occurs and determine whether notification is warranted. Originally the rule indicated physicians and hospitals would have to notify patients of any kind of privacy breach, regardless of whether it caused harm.

Enforcement is expected to begin in February 2010.

The American Hospital Assn.; the Medical Group Management Assn.; and Premier Inc., an alliance of hospitals and health organizations whose members, among other things, share clinical data with each other, wrote letters to HHS Secretary Kathleen Sebelius endorsing what is called the harm threshold.

The AHA and Premier said the harm threshold is consistent with language in the Health Information Technology for Economic and Clinical Health Act, the portion of the federal stimulus bill that called for the new rules on privacy breaches. They also said it corresponds with the guidance of several federal agencies as well as some state laws addressing breaches. Those laws allow organizations to determine whether a breach could result in harm to a person's financial well-being or reputation.

The MGMA said in its letter that allowing health organizations to assess the risk will help alleviate the administrative and financial burden of providing notification when there is no threat of harm. The group also noted that penalties for failing to notify when it is warranted will give organizations incentive to err on the side of caution and notify more often.

Two consumer groups, Consumer Watchdog and the Center for Democracy and Technology, argue that placing the onus on a breached organization to determine the level of risk and whether notification is necessary is not good policy.

"In other words, the company responsible for protecting the sensitive data gets to decide if it needs to bother to tell anyone that sensitive health data was breached. This is simply outrageous," wrote John Simpson, who drafted Consumer Watchdog's letter to Sebelius.

The two groups joined six members of Congress who also expressed their opposition to the provision in a letter to Sebelius. They said the House Committee on Energy and Commerce considered and rejected a similar provision because of the "breadth of discretion that would be given to breaching entities."

A separate rule, which takes effect Nov. 30, substantially increases civil monetary penalties HHS can impose for violations to the Health Insurance Portability and Accountability Act. The HIPAA enforcement interim final rule establishes tiered penalties up to a maximum of $1.5 million for a violation.

Meanwhile, a survey released Oct. 15 by security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research, tried to shed some light on the problem of health records breaches.

Nearly 80% of the survey's 542 respondents, mostly senior information technology managers at health systems, said they had experienced a security breach, with 42% reporting more than one. Of those who reported a data breach, 91% said it included electronic health information.

Survey answers were self-reported, and a breach was loosely defined as the loss of patient data. But Harry B. Rhodes, director of practice leadership for the American Health Information Management Assn., said that based on his own analyses of breach incidents provided by the Privacy Rights Clearinghouse, "it seems like it's more of a problem with things not technical."

Incidents such as the loss or theft of computers, misplacement of memory sticks and loss of BlackBerry devices are the cause of most breaches, he said.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn