[ Thursday, August 26, 2010 ]
More on the "harm" threshold (and its possible demise):
During this past week, the AHLA "HIT list" listserv has buzzed with commentary on the "harm" threshold (in large part started by the NYT article mentioned here
), whether it should even be in there (or is an unconstitutional expansion of the statute beyond the capacity of HHS to enact), and whether it's a good idea even if it can be instituted via regulation. Dom Nicastro has a nice article
comparing the California breach notification statute, which is a net that catches all, to the the HIPAA breach notification provisions, which allow the "no harm" breaches to be excluded from the reporting requirement. Virtually all of the California healthcare breaches reported to the state were not reported to HHS under the "harm" standard (although it's possible some were not reported because they fit into one of the other HIPAA exceptions to reporting). Which means either we need the "harm" threshold to prevent useless and unnecessary reporting, OR we must get rid of the "harm" threshold because it is abused in its use.
Jeff [9:39 AM]
Blogger: HIPAA Blog - Edit your Template