Health Information Management

Congressmen disagree with HHS 'harm standard'

HIM-HIPAA Insider, October 12, 2009

Six members of Congress signed an October 1 letter written to HHS Secretary Kathleen Sebelius urging HHS to repeal or revise the harm standard provision included in HHS’ interim final rule on breach notification.

HHS added the harm standard in the interim final rule – published in the August 24 Federal Register – so that an unauthorized use or disclosure of PHI is considered a breach only if the use or disclosure poses some harm to the individual.

The Congressmen say this concept was explicitly rejected when they crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.

“ARRA's statutory language does not imply a harm standard,” the Congressmen wrote to Sebelius. “In drafting Section 13402 (‘notification in case of a breach’) committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.”

Read the full letter here.

Most Popular