HHS Withdraws Breach Notification Final Rule

September 8, 2010

On August 28, 2010, the U.S. Department of Health and Human Services (HHS) announced on its website that it has withdrawn the final breach notification rule from the Office of Management and Budget (OMB) to “allow for further consideration, given the Department’s experience to date in administering the regulations.” During the 60-day public comment period on the Interim Final Rule for Breach Notification for Unsecured Protected Health Information, HHS received approximately 120 comments.

The Interim Final Rule, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, became effective September 23, 2009. The regulations, developed by the Office of Civil Rights, require a HIPAA-covered entity to notify affected individuals and the Secretary of HHS of a breach, and to inform the media in cases where a breach affects more than 500 individuals. The regulations also require a business associate of a covered entity to notify the covered entity of a breach at or by the business associate.

On May 14, 2010, HHS submitted a final breach notification rule to the OMB for regulatory review. The Office of Information and Regulatory Affairs (OIRA), part of the OMB, is charged with overseeing agency draft regulations before publication to ensure agency compliance with Executive Order 12,866. OIRA’s review is one of the final steps prior to publishing a rule in the Federal Register.

In its announcement, HHS stated, “This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.”

For more information on this topic, or for guidance to help ensure compliance, please contact us.