More on the "harm" threshold (and its possible demise)
Over on HIPAA Blog, attorney Jeff Drummond writes:
More on the “harm” threshold (and its possible demise): During this past week, the AHLA “HIT list” listserv has buzzed with commentary on the “harm” threshold (in large part started by the NYT article mentioned here), whether it should even be in there (or is an unconstitutional expansion of the statute beyond the capacity of HHS to enact), and whether it’s a good idea even if it can be instituted via regulation. Dom Nicastro has a nice article comparing the California breach notification statute, which is a net that catches all, to the the HIPAA breach notification provisions, which allow the “no harm” breaches to be excluded from the reporting requirement. Virtually all of the California healthcare breaches reported to the state were not reported to HHS under the “harm” standard (although it’s possible some were not reported because they fit into one of the other HIPAA exceptions to reporting). Which means either we need the “harm” threshold to prevent useless and unnecessary reporting, OR we must get rid of the “harm” threshold because it is abused in its use.
I discussed Nicastro’s article on this blog yesterday, here. What I want to respond to here is Jeff’s conclusion that
either we need the “harm” threshold to prevent useless and unnecessary reporting, OR we must get rid of the “harm” threshold because it is abused in its use.
There are more than two options or rationales here. We could — and should — get rid of the “harm” threshold because it exceeds the statute passed by Congress and indeed, flouts Congress’s specific language and intent as they had specifically rejected a harm threshold after considering it. We could — and should — get rid of the “harm” threshold because it is premised on the notion that the main reason to notify patients of a breach is concern for societally recognized “harm” and does not consider the issue of patient trust and confidentiality as the primary reason to disclose a breach.
What Jeff Drummond considers “useless and unnecessary reporting” reflects what he or others might consider a pragmatic approach, but what I consider to be an approach that ignores the trust and confidentiality issues between provider and patient. Patients believe we are bound by an oath to keep what we learn about them confidential. Unless we’re going to start warning them, “Yes, I’ll keep this all confidential, but if I suffer a security breach, I may not tell you,” then we have an obligation to disclose breaches.