|HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information|
HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information
As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA), the U.S. Department of Health and Human Services (HHS) issued "breach notification” regulations on August 19, 2009 requiring health care providers and other HIPAA covered entities to notify affected individuals following a breach of unsecured protected health information.
The regulations require covered entities to promptly notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach. Smaller breaches may be reported to the Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate. The regulations were developed after considering public comment received in response to an April 2009 request for information and after close consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.
To determine when information is "unsecured” and notification is required by the HHS and FTC rules, HHS is also issuing in the same document as the regulation an update to its guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information. This guidance will be updated annually.
The HHS interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. For more information, visit the OCR web site at http://www.hhs.gov/ocr/hipaa/.