Department of Health and Human Services has relaxed rules on reporting privacy breaches of medical records

Under a rule finalized by the Department of Health and Human Services (HHS), physicians will be required to notify patients of a privacy breach of their records only if the physicians determine that notification is warranted by the level of potential harm, according to an article in American Medical News. The original Breach Notification for Unsecured Protected Health Information rule indicated that physicians and hospitals had to notify patients of any kind of privacy breach, regardless of whether it caused harm. Enforcement of the final rule is expected to begin in February 2010.

In endorsing the final breach rules, the American Hospital Association, the Medical Group Management Association, and Premier Inc, an alliance of hospitals and health organizations, wrote to HHS Secretary Kathleen Sebelius that the harm threshold is consistent with language in the portion of the federal stimulus bill calling for new rules on privacy breaches and corresponds with guidance from several federal agencies as well as some state laws addressing breaches. However, the consumer groups Consumer Watchdog and the Center for Democracy and Technology and 6 members of Congress countered with a letter to Sebelius arguing that allowing a breached organization to determine the level of risk and whether notification is necessary is not good policy.

Dolan PL. Privacy breach rules require practices to report only harm done. American Medical News. November 16, 2009. http://www.ama-assn.org/amednews/2009/11/16/bisb1116.htm. Accessed December 14, 2009.