HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Comments on HITECH Act breach notification rule – from Capitol Hill

October 5, 2009

Regulations are written to implement legislation.  If all legislation were perfectly clear and easily understood by all, there would be little need for regulations.  

In late August, HHS issued an interim final rule, effective late September, with a 60-day comment period, to implement the breach notification requirements of the HITECH Act.  One element of the rule involved establishing a standard not included in the legislation.  More specifically, HHS elected to read a "harm" standard into the breach notification rule; to use a sports analogy: no harm, no foul.  The thinking is: Why trigger breach notification requirements if, for example, an employee of a health care facility inadvertently accessed a patient record that he shouldn't have, where he immediately realized his error and closed the computer file without reading it or retaining any information from the file?

Well, Congressional leaders responsible for drafting the law in the first place disagree, saying that the squishiness inherent in any determination of whether or not there was any harm to a patient as a result of such a breach led them to back off of the harm standard, which was in an early draft of the law but was explicitly abandoned.  (Thanks to Alan Goldberg and Bob Coffield for highlighting the comment letter sent October 1 by Representatives Waxman, Rangel, Dingell, Pallone, Stark and Barton.)

So, the letter says that was the Congressional intent; of course, as any litigator could tell you, there are two sides to every story . . . .

Speaking of strict standards in statute translated to use in the real world by more flexible regulations . . . . Remember OBRA 1987?  That was the law that led to the development (over the next ten years) of the current SNF survey and certification schema.  The statute had a "zero tolerance" standard in its conditions of participation; HCFA (now known as CMS) concluded that since most SNFs were not in 100% compliance, and since Congress probably didn't mean to shut down the entire industry, it would promulgate a "substantial compliance" standard instead.

I do not recall whether there was any legislative history showing what Congress meant when it enacted OBRA 1987 with a zero tolerance standard.  (Anybody?  Help me out here.)  I bet there are other examples out there of regulations implementing "zero tolerance" statutes with "substantial compliance" sorts of standards.  (Feel free to note them in the comments.)

What do you think?  Is the standard too squishy?  Should the regs be pulled back to reflect the avowed legislative intent?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: EHR, Health care policy, Health Law, HIPAA, HIT, Privacy

you might also like:

  1. Final HIPAA Breach Notification Rule

  2. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  3. HIPAA Final Rule on Privacy, Security, Breach Notification and Enforcement Issued, Finally

« Massachusetts health care payment reform hearings set to begin this week
H1N1 Response Center – Microsoft launches interactive tool »

Comments

  1. HLGCDT says

    October 12, 2009 at 6:56 pm

    The concept of a risk assessment makes sense.
    The problem is HHS used the wrong assessment criteria.

    If you read the legislation’s language, it refers to compromising the privacy and security of DATA, not individuals.
    Therefore, whether health information has been compromised should be determined by an assessment of the risk that the data has been or will be inappropriately acquired, viewed or used.
    The Federal Trade Commission already adopted a similar standard for its breach notification rules for personal health records.

    This “acquisition-based” risk assessment is more aligned with Congressional intent than the “harm-based” risk assessment.
    Focusing on the likelihood of acquisition removes the subjectivity from the harm standard, preserves the incentives for health care companies to protect data, reduces unnecessary patient notifications, and is easier to enforce and administer.
    Hopefully HHS will revise the harm standard to this more appropriate approach.

Follow me on Twitter

David Harlow 💉😷 Follow 42,898 17,567

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
5h 1619996502591524865

ICYMI> David Lareau, CEO of Medicomp Systems on TEFCA and More — Harlow on Healthcare https://healthblawg.com/2022/02/david-lareau-medicomp-systems.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  David Lareau, CEO Twitter feed image.
Reply on Twitter 1619996502591524865 Retweet on Twitter 1619996502591524865 0 Like on Twitter 1619996502591524865 0 Twitter 1619996502591524865
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
12h 1619890873025667072

ICYMI> Alana McGolrick, Chief Nursing Officer of PeriGen … and fetal monitoring geek — Harlow on Healthcare https://healthblawg.com/2021/10/alana-mcgolrick-chief-nursing-officer-of-perigen-and-fetal-monitoring-geek-harlow-on-healthcare.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Alana McGolrick, Chief Twitter feed image.
Reply on Twitter 1619890873025667072 Retweet on Twitter 1619890873025667072 0 Like on Twitter 1619890873025667072 0 Twitter 1619890873025667072
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
18h 1619810966631325698

The Harlow #Healthcare #Innovation Daily #digitalhealth #hcldr #HarlowOnHC #digitalhealth #healthtech

Image for twitter card

Python Book Goodies and Apache Arrow

datasciencecentral.com In my rundown this week, I cover two distinct topics – a new Python analytics books and t...

paper.li

Reply on Twitter 1619810966631325698 Retweet on Twitter 1619810966631325698 0 Like on Twitter 1619810966631325698 0 Twitter 1619810966631325698
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]