WASHINGTON – The Department of Health and Human Services withdrew its final breach notification rule for unsecured protected health information. Withdrawal of the rule came in late July, just days before the Rite Aid Corp. agreed to pay $1 million to settle potential violations of federal privacy rules.
Some observers say the Rite Aid case, in which the national drug store chain allegedly failed to protect discarded customer prescription information in publicly accessible dumpsters, may have triggered the withdrawal of the rule. The new rule was supposed to replace an interim rule that went in effect Sept. 23, 2009.
HHS said it withdrew its final breach notification final rule on July 28 from the White House Office of Management and Budget where it was being reviewed, "to allow for further consideration, given the department’s experience to date in administering the regulations."
"This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," HHS said in a statement.
HHS officials said they intend to publish a new final rule "in the coming months."
According to HHS' Office of Civil Rights Director Georgina Verdugo, as part of the settlement, Rite Aid will establish policies and train employees on how to protect sensitive patient information.
"We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process," Verdugo said.
Patient Privacy Rights, a patient privacy advocacy group, was pleased HHS withdrew the rule because it did not allow for patients to be notified in every instance of a breach of their sensitive information.
"This is a huge step in the right direction," said Deborah Peel, founder of Patient Privacy Rights. "Congress, the Coalition for Patient Privacy, and patients everywhere spoke out against the blatant disregard for patients' rights to be notified of all breaches."
According to Peel, Patient Privacy Rights opposed a section of the rule they call, the "harm standard." The harm standard would allow businesses entities that suffer a breach of data security to decide whether patients are likely to be harmed by the breach.
"Put simply, the proposed final rule granted the power to decide whether to report breaches or not to the businesses that failed to protect sensitive health data, and would not want to disclose breaches," Peel said.
"Talk about letting the fox guard the hen house," she said.
