Having problems with message search?
HHS Issues Rule Requiring Individuals
Be Notified of Breaches of Their Health Information
August 19, 2009
As required by the Health Information Technology for Economic and
Clinical Health (HITECH) Act passed as part of American Recovery and
Reinvestment Act of 2009 (ARRA), the U.S. Department of Health and Human
Services (HHS) issued “breach notification” regulations today requiring
health care providers and other HIPAA covered entities to notify affected
individuals following a breach of unsecured protected health information.
The regulations require covered entities to promptly notify affected
individuals, the Secretary of HHS, and in some cases, the media, of a
breach. Smaller breaches may be reported to the Secretary on an annual
basis. The regulations also require business associates of covered
entities to notify the covered entity of breaches at or by the business associate.
The regulations were developed after considering public comment received in
response to an April 2009 request for information and after close consultation
with the Federal Trade Commission (FTC), which has issued companion breach
notification regulations that apply to vendors of personal health records and
certain others not covered by HIPAA.
To determine when information is “unsecured” and
notification is required by the HHS and FTC rules, HHS is also issuing in the
same document as the regulation an update to its guidance specifying encryption
and destruction as the technologies and methodologies that render protected
health information unusable, unreadable, or indecipherable to unauthorized
individuals. Entities subject to the HHS and FTC regulations that secure
health information as specified by the guidance through encryption or
destruction are relieved from having to notify in the event of a breach of such
information. This guidance will be updated annually.
The HHS interim final regulations are effective 30 days after
publication in the Federal Register and include a 60-day public comment
period. For more information, visit the OCR web site at http://www.hhs.gov/ocr/privacy/.
This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.
This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at http://www.hhs.gov/ocr/office/index.html.
If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1
Offline 
Send Email