The U.S. Department of Health and Human Services (HHS) has issued new regulations that require healthcare providers, health plans, and other entities covered by HIPAA to notify individuals when their health information is breached.
The regulations are part of the Health Information Technology for Economic and Clinical Health (HITECH) Act contained in the American Recovery and Reinvestment Act (ARRA) of 2009.
The so-called "breach notification" regulations require healthcare providers and other HIPAA-covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis.
The rules also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
To determine when notification is required by the HHS and Federal Trade Commission rules, HHS is issuing an update in the same communiqué that specifies encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.
The HHS interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.
Related Reading
HHS delegates HIPAA enforcement, August 4, 2009
HHS provides health information protection guidance, April 21, 2009
Experts urge overhaul of health privacy rule, February 5, 2009
HIPAA security still problematic, November 7, 2006
HIPAA compliance remains inconsistent, April 12, 2006
Copyright © 2009 AuntMinnie.com
