Privacy

HHS Delays Release of Final Health Breach Notification Rule

Published: Aug. 04, 2010

Updated: Oct. 05, 2020

HHS announced last week that it was withdrawing a proposed Final Rule on Breach Notification for Unsecured Protected Health Information from Office of Management and Budget (“OMB”) review “to allow for further consideration.” While the agency did not specify why the rule was withdrawn from OMB review, there is some speculation that HHS may be revisiting the controversial risk of harm standard in the Interim Final Rule. The provisions of the Interim Final Rule only require an entity suffering a breach of PHI to make the required notifications if the entity determines that the breach is likely to pose a “significant risk of financial, reputational, or other harm to the individual.” The risk of harm standard (which was not included in the FTC’s Final Health Breach Notification Rule) has been the target of complaints from patient privacy organizations, members of Congress, and other privacy advocates, who argue that the standard is too lenient.

HHS did not provide a specific time frame for the release of the Final Rule, saying that only that the agency intends to release the Rule “in the coming months.”