HHS releases breach notification rules

The U.S. Department of Health and Human Services (HHS) has issued new regulations that require healthcare providers, health plans, and other entities covered by HIPAA to notify individuals when their health information is breached.

The regulations are part of the Health Information Technology for Economic and Clinical Health (HITECH) Act contained in the American Recovery and Reinvestment Act (ARRA) of 2009.

The so-called "breach notification" regulations require healthcare providers and other HIPAA-covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis.

The rules also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

To determine when notification is required by the HHS and Federal Trade Commission rules, HHS is issuing an update in the same communiqué that specifies encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

The HHS interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.

Related Reading

HHS delegates HIPAA enforcement, August 4, 2009

HHS provides health information protection guidance, April 21, 2009

Experts urge overhaul of health privacy rule, February 5, 2009

HIPAA security still problematic, November 7, 2006

HIPAA compliance remains inconsistent, April 12, 2006

Copyright © 2009 AuntMinnie.com

Page 1 of 603
Next Page