The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments. HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. However, HHS subsequently withdrew the breach notification final rule from OMB review to allow for further consideration.
Although the reason for the withdrawal is unclear, there has been some speculation that one reason may be to withdraw the harm standard from the rule, which requires notification only where the prohibited conduct creates a significant risk of harm. HHS had received complaints from Congressional leaders that they did not intend the HITECH Act to include such a harm standard.
HHS has indicated it intends to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.