Just how much do you trust someone – anyone? Seriously, do you really know fully what goes on in the hearts and minds of those you know and trust the best? Not to be cynical, but you really don’t, that is why we as humans have few close friends, one spouse (at a time) and still often trust our pets as the “one who truly loves me”. What does this have to do with HITECH privacy and security? A lot, when you consider the interim rule on breach notification known as the “harm threshold”.
The harm threshold is an Interim Final Rule (IFR) that the Office for Civil Rights (OCR) placed in the HITECH Act in September, 2009 which basically says that a covered entity (CE), or business associate (BA), makes the final determination as to whether or not a potential breach is reported to HHS, and to those potentially affected by it. As it currently reads, providers or any entity holding your PHI, must determine that a breach of this information poses harm to the individual(s). If the answer is no, then no reporting of any kind is required. Now, regardless of where you fall in the political spectrum, this is problematic. We certainly don’t need to become deliberately more litigious in this country, nor unnecessarily scare people, but we also don’t need the potential offender making the determination that a particular lost laptop is secure enough, or the local dump is far enough out of the way. Some argue that there will be unwarranted fear spread by the lack of a harm threshold and ultimately the “boy who cried wolf” syndrome sets in. Perhaps.
Some interesting statistics on this topic do come to us from California, which operates with no harm threshold at the state level. The California Department of Public Health (CDPH) receives about 220 notifications of potential breaches each month. Since January 1, 2009, the CDPH has received 3,766 such notifications, 98.7% of which were found to be “substantiated medical breaches” by CDPH. To be sure, not all of these posed harm to patients, but how would you know if not given the opportunity to review for yourself, or having a second set of eyes for review?
Whether the harm threshold survives under HITECH to become a final rule remains to be seen. It is a tough decision with valid arguments on both sides. Perhaps a “run-in” period of reporting everything until we get some solid statistics and experience under our belts? If we can set dates to draw down troops from a foreign battlefield, we ought to be able to set one for removing the harm standard if it proves onerous.