HHS Withdraws Breach Notification Final Rule (but breach notification still effective)

Friday, July 30, 2010

HHS Withdraws Breach Notification Final Rule (but breach notification still effective)

Interesting press release from the Department of Health and Human Services (HHS) relating to the HITECH Breach Notification Final Rule. The Interim Final Rule is still effective, but one can't help but wonder what HHS may be reconsidering given the numbers of breaches reported since September 2009.

Breach Notification Final Rule Update

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

About The Editor and Contributors

Cynthia Larose is a member in Mintz Levin's Corporate Group and leads our Privacy and Security practice. She is a Certified Information Privacy Professional, working with clients in various industries to develop comprehensive information security programs on the front end, and providing timely counsel when it becomes necessary to respond to a data breach. For Cynthia's complete Biography, visit Mintz Levin corporate website here

Contributors

Dianne Bourque - Bio

Elissa Flynn-Poppey - Bio

Haydon A. Keitner - Bio

Lance Kurata - Bio

Kevin M. McGinty - Bio

Jennifer Rubin - Bio

Julia Siripurapu - Bio

Michael S. Arnold - Bio

Disclaimer

I am a lawyer having a professional obligation to remind readers that my posting and participation in this Blog does not constitute a solicitation for employment or legal advice; however, what I write may constitute attorney advertising in some jurisdictions requiring a cautionary reminder that prior results do not guarantee a similar future outcome. In that regard, please note that I am licensed and authorized to practice law only in the District of Columbia and the States of Massachusetts and New Hampshire. Communications through this Blog, whether posted or made through a private email to me, will not create an attorney-client relationship and, therefore, do not post on the Blog, or send me or anyone else through this Blog, secret or confidential information because such communications will not be entitled to protection by the attorney-client privilege. Finally, given the nature of a Blog, involving commentary and spontaneous thought that could change after reflection or further developments, I make no warranty or guarantee as to the accuracy, completeness or adequacy of information posted by anyone on this Blog, including me. Any opinions expressed in this Blog are solely the opinion of the author and not of my law firm or anyone else associated with my law firm.

Friday, July 30, 2010