The Department of Health and Human Services should retain its “risk of harm” standard in the final rule on breach notification for unsecured protected health information, the American Hospital Association said in a comment letter to the agency on Friday.
Under the proposed rule, HHS has put in place a trigger, which compels providers to inform patients or residents when there has been a breach of their private information. The AHA argues that the “risk of harm” standard would prevent patients and residents from being inundated with unnecessary notifications, causing undue anxiety and worry. Under the “risk of harm” standard, providers only would be compelled to inform patients and residents in the event that their private information is in actual danger. The “risk of harm” standard is in full accordance with the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was passed as part of the American Recovery and Reinvestment Act earlier this year.
Friday was the final day for comments on the proposed rule. More information is available at www.hhs.gov.