HIPAA Blog

[ Thursday, July 08, 2010 ]

 

HHS Presser: I wanted to ask a question about the "harm" rule, so I pressed *1 and gave my name. I was returned to the press conference, but after the second question, everything went dead. My line is still open, just dead. OK, now they announce that the press conference is over. That's pretty stupid. They didn't say, "Well, we're out of time, thanks for all your questions." They just answered 2 questions (the answers were "no" and "no") and the line went dead.

Well done, guys. I'm sure the rest of your "outreach" and your "listening tour" will be handled just as well. Sheesh.

PS: my question: When the Data Breach interim final rule was published, there was an "Easter Egg" in it for covered entities that suffered a breach of unsecured PHI. If you can reasonably conclude that there's no substantial risk of financial, reputational, or other harm from the breach, you don't have to make a notification. That gives any covered entity almost carte blanche to decide that almost any breach need not be reported. Several congressmen (I think Markey and Waxman included) wrote HHS to say that's not what we intended when we wrote the legislation. My question was whether HHS in this NPRM would follow the congressmen's wishes and walk back the "no harm" rule. The answer is "No," although the subtext of the answer might be that because that was in a different rule-making (an interim final rule rather than a NPRM), if it is addressed, it will be addressed separately. But they gave no indication at all that there would be any walk-back on the "no harm" rule. Party on, Wayne!

Jeff [10:11 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template