In a letter to HHS, the AHA argued that notifying individuals of breaches, when it has been determined that there is “no reasonable likelihood of harm to the individuals,” serves “no useful purpose.”
The AHA further stated that including a risk of harm standard is consistent with language in the HITECH Act, as well as with state laws and federal agency policies.
While the AHA generally supports the HHS’ rule that would require providers to notify individuals of breaches, the group is opposed to the HHS’ guidance that “covered entities must determine whether their business associates are agents in order to understand when a business associate’s knowledge of a breach will be imputed directly to covered entities,” according to the report.
Read the AHANews’ report on the AHA’s stance on retaining the risk of harm standard.
