When the HITECH Act portion of the American Recovery and Reinvestment Act became effective in late September, IT Business Edge blogger Mike Vizard argued that the HITECH Act has a big loophole that allows an organization that suffers a breach to skip the notification requirements if it can determine that the breach did not harm anyone.
Vizard's not the only one raising such issues. The Center for Democracy and Technology asked similar questions after the Department of Health and Human Services issued its interim final rules. Staff counsel Harley Geiger said:
The primary purpose for mandatory breach notification is to provide incentives for health care companies to protect data....However, the harm standard institutionalized in HHS' interim final rule cripples this crucial incentive. For breach notification purposes, it no longer matters whether health care companies protect data via encryption so long as the companies decide that the breach poses no significant risk of harm to the patient.
Here's the thing, though: The companies bear the burden of proving that there's no significant risk of harm. It's not like they can just decide, "Oh, it's not going to hurt anyone. Who needs to know?" They have to demonstrate why the breach does not pose a risk to the individuals whose information was compromised.
Risk assessments must be fact-specific inquiries. A risk assessment performed pursuant to the Rule should determine who impermissibly used the information and/or to whom the information was impermissibly disclosed, and should address the type and amount of PHI involved in the impermissible use or disclosure.