Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), covered entities must notify individuals and HHS of any unauthorized acquisition, access, use or disclosure of the individual's unsecured protected health information (PHI) which "compromises the security or privacy of such information." HITECH Act, § 13400. The breach notification law applies to PHI in any format or media, including written or electronic PHI. When issuing the Interim Final Rule for breach notification last year, HHS interpreted the HITECH Act to require notification of breach only if a covered entity determined that the violation or breach poses a "significant risk of financial, reputational or other harm to the individual." 45 C.F.R. § 164.402(1)(i). The preamble to the Interim Final Rule states that notification may not be required if a covered entity, such as a hospital or insurer, determines, after a risk assessment, that the individual whose PHI was accessed, used or disclosed will not be harmed. See 75 Fed. Reg. 42740, 42744 (August 24, 2009).
In response to opposition by several members of Congress and privacy advocates over the risk of harm standard under the HIPAA breach notification Interim Final Rule, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) recently withdrew its final breach notification rule to "allow for further consideration, given the Department's experience to date in administering the regulations" -- perhaps creating pressure on HHS/OCR to craft a more stringent final rule.
Covered entities should note that the obligation to report breaches of unsecured PHI, which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the HITECH Act, remains in effect. All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.