The Department of Health and Human Services' Office for Civil Rights has temporarily pulled a final breach notification rule it has developed but not yet published, according to an HHS notice. The rule had been submitted to the Office of Management and Budget for review before publication. It now is being withdrawn for further consideration based on OCR's experience thus far in administering the notification rule under an interim final rule.

OCR will not comment on factors that compelled the withdrawal. "These are routine, formal regulatory processes," according to a statement from the agency.

OCR has been under industry pressure, which was evident during a May conference that the agency hosted, to remove a "harm threshold" in the interim final rule that enables an organization to not issue notification of a breach if it determines no consequential harm has resulted or will result from the breach.

What follows is the HHS notice that it has temporarily pulled the final rule:

"The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

"HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department's experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months."

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access