Coming under criticism for allowing covered entities (in this case, those health care providers and others who maintain health records) to police themselves in matters of maintaining the privacy of Protected Health Information (PHI), the Department of Health and Human Services (HHS) has withdrawn its breach rule of September 2009.

The already-in-effect interim final rule, called for under terms of the Health Information Technology for Economic and Clinical Health (HITECH) Act of February 2009, had long before been submitted to the Office of Management and Budget (OMB) for official implementation when HHS on July 28 decided it was "a complex issue" and withdrew the rule to start over again. 

The breach notification interim final rule required health providers and plans and their business partners to provide notification within 60 days of a breach of unsecured sensitive data to individuals and in cases involving more than 500 individuals to HHS and the media as well. With more than 120 public comments received, the department realized that allowing affected businesses to determine what is and what is not a breach was not going to fly.

“The administration is committed to ensuring that individuals’ health information is secured to the [fullest] extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," HHS said in its announcement.

Personnel Concepts will continue to monitor developments in breach notification regulations and keep everyone informed of further changes. Meanwhile, you should visit the Personnel Concepts HIPAA and COBRA Compliance section on its Web site for products and programs to help keep your company in compliance.