The American Hospital Association supports the inclusion of a "risk threshold" in the Department of Health and Human Services' interim final rule covering breach notifications, according to a comment letter sent to HHS officials.

Under the interim final rule, an organization that experiences a breach of protected health information need not provide notification if it determines there is no significant harm to affected individuals. This level of standard is consistent with a majority of state breach notifications, according to the AHA.

"We believe that it is critical to the successful implementation of a federal breach notification policy that patients be notified of breaches that pose a significant risk of harm, yet not receive countless notices of breaches that do not pose harm," the AHA letter states. "Therefore, we strongly encourage HHS to maintain its definition of 'breach' in finalizing this rule."

Other AHA comments include:

  • HHS should identify--beyond use of a limited data set where certain identifying information is removed--other situations in which inadvertent use and disclosure does not compromise PHI and warrant a breach notification. "For example, there are many conceivable situations in which inadvertent disclosures from one covered entity to another would not compromise the privacy or security of the information, such as where a hospital sends information to the wrong physician practice, mistakenly and in good faith. In this circumstance, both the disclosing and receiving entities already are bound by the HIPAA privacy rule's obligation to mitigate harm."
  • Covered entities should not be required to determine whether a business associate is an "agent" or "contractor" of a covered entity. Such a determination could affect establishment of when a covered entity learned of a breach. The AHA asks HHS to clarify that all business associates are covered under the HIPAA privacy rule, "which details when a business associate must notify a covered entity of a breach, and that a covered entity will only 'discover' a breach when informed of the breach by its business associate consistent with this timing requirement," according to the comment letter.

Full text of the letter is available on the right-hand side of the home page at

    This article can also be found at

    Register or login for access to this item and much more

    All Information Management content is archived after seven days.

    Community members receive:
    • All recent and archived articles
    • Conference offers and updates
    • A full menu of enewsletter options
    • Web seminars, white papers, ebooks

    Don't have an account? Register for Free Unlimited Access