There have been several significant developments regarding the new HIPAA rules in the past few days:
- HHS has posted the instructions and forms to be used to make notifications to HHS of breaches of unsecured PHI. The forms are web-based for online submission. There are two forms: one for breaches affecting 500 or more individuals (required to be submitted “immediately” after the breach) and one for breaches affecting fewer than 500 individuals (required to be submitted annually within 60 days of the end of the calendar year, meaning disclosure of 2009 breaches is due by March 1, 2010).
- On October 1, 2009, Congressional leaders on the House Energy and Commerce and Ways and Means committees sent a letter to HHS objecting to the newly issued notice of breach rules and specifically to the risk of harm threshold in those rules. The Congressional leaders expressed concern at “the high bar” HHS has set for notifying individuals of breaches as the new rule requires notification only if the breach poses a “significant risk of financial, reputational, or other harm to the individual.” The letter claims that Congress considered and rejected this type of "risk of harm" threshold when drafting the HIPAA provisions in the American Recovery and Reinvestment Act and, thus, the new rules are not consistent with Congressional intent. The Congressional leaders requested that HHS revise or repeal the risk of harm threshold in the new notice of breach rules. This is a significant development and raises the possibility that the previously issued notice of breach rules may be changed.
- On October 1, 2009, proposed regulations were issued implementing the Genetic Information Nondiscrimination Act of 2008 (“GINA”), including regulations making changes to HIPAA rules. The proposed rules would modify the HIPAA Privacy Rule to clarify that genetic information is protected health information and to prohibit the use and disclosure of genetic information by covered health plans for eligibility determinations, premium computations, applications of any pre-existing condition exclusions, and any other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.
More information about HIPAA, the HI-TECH Act provisions of the American Recovery and Reinvestment Act, and the notice of breach rules is available on our HIPAA Resource Page.