• E-mail
• Print
• RSS

HIPAA harm threshold works, say providers

HIPAA Weekly Advisor, February 15, 2010

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

HHS’ “harm threshold” standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responses, according to providers who work with privacy and security.

At the 18th annual National HIPAA Summit February 5, Judi Hofman, CAP, CHP, CHSS, privacy/information security officer for Cascade Healthcare Community at St. Charles Medical Center in Bend, OR, and Debbie Mikels, corporate manager, confidentiality for Partners Healthcare System in Boston, said the provision published in the August 24 Federal Register gives covered entities the power to prevent unnecessary notifications.

“If you flood your patients with huge (breach) concerns, you’re going to open up a floodgate of problems in your organization where you really may not have had a risk to start with,” Hofman said.

The panelists at the three-day seminar at the Wardman Park Hotel in Washington, DC, responded to a question from an attendee on the controversial harm threshold after their presentation, “HIPAA Privacy and Security Compliance Professional Roundtable: Advanced Issues in HIPAA Compliance.”

HHS says in the interim final rule that many commenters on its draft guidance released in April suggested that HHS add a “harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual.”

Now, covered entities and their BAs will perform a risk assessment to determine if the individual whose PHI was inappropriately dispensed into the wrong hands faces a significant risk of harm.

Read the full story on HIPAA Update.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive