News & Information



5500 Preparer's Manual for 2012 Plan Years

5500 Preparer's Manual for 2012 Plan Years
The premier resource in the field of Form 5500 preparation, 5500 Preparer's Manual will help you handle the required annual Form 5500 filings for both pension benefits and welfare benefit plans.

CCH® BENEFITS — 08/10/10

HHS Withdraws HIPAA Security Rules

from Spencer’s Benefits Reports: The Department of Health and Human Services (HHS) has announced the withdrawal of its interim final regulations addressing security notification for breaches of information that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

An interim final rule under the Health Information Technology for Economic and Clinical Health (HITECH) Act was published in the Federal Register on Aug. 24, 2009, and became effective on Sept. 23, 2009.

In its announcement, HHS noted that it reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for regulatory review on May 14, 2010. However, HHS is withdrawing the final rule from OMB review “to allow for further consideration.”

According to HHS, “This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.”

Under that withdrawn rule, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct posed a “significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it was not sufficiently protective of patients’ and plan participants’ rights.

According to Philip J. Gordon, chair of the Privacy and Data Protection Practice Group of the law firm of Littler Mendelson, “If the HHS were to eliminate the ‘harm standard’ in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were the HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the ‘harm standard’ could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.”

For more information on Littler Mendelson, visit

For more information on this and related topics, consult the CCH Pension Plan Guide, CCH Employee Benefits Management, and Spencer's Benefits Reports.

Visit our News Library to read more news stories.