OCR will not comment on factors that compelled the withdrawal. "These are routine, formal regulatory processes," according to a statement from the agency.
OCR has been under industry pressure, which was evident during a May conference that the agency hosted, to remove a "harm threshold" in the interim final rule that enables an organization to not issue notification of a breach if it determines no consequential harm has resulted or will result from the breach.
What follows is the HHS notice that it has temporarily pulled the final rule:
"The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
"HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months."
--Joseph Goedert
Be the first to comment on this post using the section below.