HHS Temporarily Halts OMB Review of Breach Notification Rule

Stop the review! That's basically what HHS recently told the Office of Management and Budget, or OMB, regarding HHS' breach notification final rule. The rule was sent to the OMB on May 14 for a regulatory review, as required by executive order.

As it stands currently, the rule would require physicians to post information about health information security breaches if 10 or more patients were affected. A breach affecting 500 or more patients would require that a practice notify all of its patients, a local media outlet and the HHS secretary.

A notice posted on the HHS website says the department needs more time to consider the rule, given the agency's "experience to date" in administering the regulations.

"This is a complex issue, and the administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures," says the notice. HHS also notes that it wants to ensure that when breaches of personal health information do occur, affected individuals are "appropriately notified."

HHS says it intends to publish a final rule in the Federal Register sometime in the coming months.

The breach notification rule has drawn fire from physician organizations, in part because physician practices would be required to enhance their patient information privacy policies and procedures at their own expense; no federal resources were allocated to help alleviate the financial burden those activities would pose.

Security breach fines starting at $100 and reaching as much as $1.5 million also raised eyebrows.

The breach notification rule is included in the Health Information Technology for Economic and Clinical Health Act (page 140; 187-page PDF; About PDFs); it falls under the broader umbrella of the American Recovery and Reinvestment Act of 2009.