Sable, Hudock Quoted On New Standard For Notice Of Health Information Security BreachesReport on Patient Privacy October 1, 2009
Alicia Hayes Sable, an Associate in the Health Care and Life Sciences Practice in the New York office, and Robert Hudock, a Senior Associate in the Health Care and Life Sciences Practice in the Washington, DC office, were quoted in an article in the Report on Patient Privacy newsletter on a new "risk of harm" standard included in The Department of Health and Human Services (HHS) recently issued regulations regarding the new HIPAA breach notification requirements.
The article, "Harm Standard May Mean Fewer Breach Notices, But More Complications For CEs," stated that covered entities (CEs) must apply a new "risk of harm" standard to determine whether breaches of protected health information must be reported to individuals, the government and the media.
Alicia Hayes Sable noted that HHS has made federal standards more in line with state security breach notification laws, and that the new "harm" standard will decrease the number of notices that would be sent in the absence of a "harm" standard, which will likely increase the value of the notices that are sent to individuals. She added that CEs should have policies and procedures in place to assess whether adequate policies and procedures exist to assess risk management.
Robert Hudock said that some CEs may find the process simpler than some state notification laws. "I actually believe the [HHS] standard is more helpful in the sense that it highlights key criteria to be evaluated in assessing risk to customers."