HHS has withdrawn a proposed version of its final rule for health data breach notification from administrative review by the Office of Management and Budget, a notice posted on HHS' website states, Modern Healthcare reports (Conn, Modern Healthcare, 7/29).
HHS submitted the rule for OMB review on May 14 and said it intended to publish a final rule in the Federal Register in the coming months (AHA News, 7/29).
The rule relates to reporting requirements for hospitals, physicians, health plans and other specified handlers of patient information who experience data breaches (iHealthBeat, 9/22/09).
According to HHS, the agency removed the final rule "to allow for further consideration" of the rule (Modern Healthcare, 7/29).
Susan McAndrew -- deputy director for health information privacy in the HHS Office for Civil Rights -- said withdrawal of the proposed final rule does not affect the interim final rule on breach notification that was introduced last August and took effect in September 2009.
Since the interim rule's implementation, more than 100 entities that had security breaches involving data on 500 individuals or more have posted information on an HHS website.
Rule Criticism
Several components of the interim rule have been criticized by privacy advocates and lawmakers. In particular, House Energy and Commerce Committee Chair Henry Waxman (D-Calif.) and ranking Republican member Joe Barton (Texas) sent a letter to HHS Secretary Kathleen Sebelius asking HHS to "revise or repeal" a provision that charges providers and others involved with conducting a risk assessment after a breach to determine the level of harm. Notification of patients would be required only in instances where they determine that harm has been done.
Waxman and Barton said the provision was "not consistent with congressional intent" (Modern Healthcare, 7/29).