Over on HIPAA Blog, attorney Jeff Drummond writes:
More on the “harm” threshold (and its possible demise): During this past week, the AHLA “HIT list” listserv has buzzed with commentary on the “harm” threshold (in large part started by the NYT article mentioned here), whether it should even be in there (or is an unconstitutional expansion of the statute beyond the capacity of HHS to enact), and whether it’s a good idea even if it can be instituted via regulation. Dom Nicastro has a nice article comparing the California breach notification statute, which is a net that catches all, to the the HIPAA breach notification provisions, which allow the “no harm” breaches to be excluded from the reporting requirement. Virtually all of the California healthcare breaches reported to the state were not reported to HHS under the “harm” standard (although it’s possible some were not reported because they fit into one of the other HIPAA exceptions to reporting). Which means either we need the “harm” threshold to prevent useless and unnecessary reporting, OR we must get rid of the “harm” threshold because it is abused in its use.
I discussed Nicastro’s article on this blog yesterday, here. What I want to respond to here is Jeff’s conclusion that
either we need the “harm” threshold to prevent useless and unnecessary reporting, OR we must get rid of the “harm” threshold because it is abused in its use.
There are more than two options or rationales here. We could — and should — get rid of the “harm” threshold because it exceeds the statute passed by Congress and indeed, flouts Congress’s specific language and intent as they had specifically rejected a harm threshold after considering it. We could — and should — get rid of the “harm” threshold because it is premised on the notion that the main reason to notify patients of a breach is concern for societally recognized “harm” and does not consider the issue of patient trust and confidentiality as the primary reason to disclose a breach.
What Jeff Drummond considers “useless and unnecessary reporting” reflects what he or others might consider a pragmatic approach, but what I consider to be an approach that ignores the trust and confidentiality issues between provider and patient. Patients believe we are bound by an oath to keep what we learn about them confidential. Unless we’re going to start warning them, “Yes, I’ll keep this all confidential, but if I suffer a security breach, I may not tell you,” then we have an obligation to disclose breaches.
I find it interesting that the one sector that has an oath “first do no harm” hides under risk of harm. Do these same people decide my “risk of harm” regarding my health also? Is risk of harm to my health also determined by cost of care- we know sometimes it does. Something to think about.
“Do these same people decide my “risk of harm” regarding my health also?”
Of course. Health care providers may decide a patient is a risk to himself or others and have the patient held involuntarily. Health care providers may make decisions as to relative risk in determining which of two surgical procedures to use, etc.
Making decisions for patients about what they need — or do not need to know — is something that has been hotly debated. I’ve had physicians swear to me that they have withheld information from patients because they could tell, by the look on the patient’s face, that the patient did not want to be told the full truth. I believe that unless our patients tell us in advance that they want us to withhold information at our discretion or in our judgment, it’s paternalistic on our part to do so. And I think arguments such as worrying patients needlessly by informing them of breaches is self-serving and/or paternalistic.
I couldn’t agree more. My father was dying while the physicians denied he was near death. Until we argued we wanted to remove life support did they even consider telling us the whole picture. To this day, they considered it failure to thrive while we know it was either untested leukemia or another illness caused by radiation treatment years before. We didn’t do an autopsy do to my mother’s request but at least she had the right to decide that. I had to sleep in my father’s room to make sure the nurses did not violate our decision. To me- first do no harm means telling the patient the entire truth so I can make decisions for myself and my future.