WASHINGTON – The Department of Health and Human Services withdrew its final breach notification rule for unsecured protected health information last week, with health privacy advocates calling it "a win" for patient privacy.

The rule had been effective since last Sept. 23. 

In announcing the withdrawal of the rule, HHS officials said, "This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur." HHS officials said.

HHS intends to publish a new final rule in the Federal Register "in the coming months," they said.

Patient Privacy Rights congratulated HHS for acknowledging the flawed rule and the need for stronger patient protections.

"This is a huge step in the right direction," said Deborah Peel, founder of Patient Privacy Rights. "Congress, the Coalition for Patient Privacy, and patients everywhere spoke out against the blatant disregard for patients' rights to be notified of all breaches."

According to Peel, Patient Privacy Rights opposed a section of the rule they call, the "harm standard."

The "harm standard" would allow businesses entities that suffer a breach of data security to decide whether patients are likely to be harmed by the breach. "Put simply, the proposed final rule granted the power to decide whether to report breaches or not to the businesses that failed to protect sensitive health data, and would not want to disclose breaches," Peel said. "Talk about letting the fox guard the hen house."

Last October, House leaders wrote HHS protesting the "harm standard," calling on HHS to revise or revoke it.