On August 28, 2010, the U.S. Department of Health and Human Services (HHS)
announced on its website that it has withdrawn the final breach notification
rule from the Office of Management and Budget (OMB) to “allow for further
consideration, given the Department’s experience to date in administering the
regulations.” During the 60-day public comment period on the Interim Final Rule
for Breach Notification for Unsecured Protected Health Information, HHS received
approximately 120 comments.
The Interim Final Rule, issued pursuant to the Health Information Technology
for Economic and Clinical Health (HITECH) Act, became effective September 23,
2009. The regulations, developed by the Office of Civil Rights, require a HIPAA-covered
entity to notify affected individuals and the Secretary of HHS of a breach, and
to inform the media in cases where a breach affects more than 500 individuals.
The regulations also require a business associate of a covered entity to notify
the covered entity of a breach at or by the business associate.
On May 14, 2010, HHS submitted a final breach notification rule to the OMB
for regulatory review. The Office of Information and Regulatory Affairs (OIRA),
part of the OMB, is charged with overseeing agency draft regulations before
publication to ensure agency compliance with Executive Order 12,866. OIRA’s
review is one of the final steps prior to publishing a rule in the Federal
In its announcement, HHS stated, “This is a complex issue and the
Administration is committed to ensuring that individuals’ health information is
secured to the extent possible to avoid unauthorized uses and disclosures, and
that individuals are appropriately notified when incidents do occur. We intend
to publish a final rule in the Federal Register in the coming months.”
For more information on this topic, or for guidance to help ensure
compliance, please contact us.