New rules governing consumer notification when the security of their health information is breached go into effect this week. But federal agencies won't enforce the rules for several more months. Both rules were mandated under the American Recovery and Reinvestment Act.
A final rule from the Federal Trade Commission, published Aug. 25 and effective Sept. 24, requires vendors of personal health records--and entities that offer third-party PHRs--to notify consumers of data breaches. In the rule, the FTC noted the quick deadlines that were statutorily mandated and imposed a grace period on enforcement.
"Therefore, the Commission will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered before Feb. 22, 2010," according to the rule. "During this initial time period--after this rule has taken effect but before an entity is subject to an enforcement action--the Commission expects regulated entities to come into full compliance with the final rule."
A separate rule for HIPAA-covered entities, the HHS interim final rule, was published on Aug. 24 with a Sept. 23 effective date. The rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.
The HHS rule also includes updated guidance on how to determine when information is "unsecured" and notification is required. If breached data is unusable, unreadable or indecipherable to unauthorized individuals because of certain encryption or destruction measures taken, notification of the breach is not required.
Because of industry concerns with the quick deadlines and ambiguities in the law, HHS in the rule granted an enforcement grace period. "We will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or Feb. 22, 2010," the HHS interim final rule states. "During this initial time period--after this rule has taken effect but before we are imposing sanctions--we expect covered entities to comply with this subpart and will work with covered entities, through technical assistance and voluntary corrective action, to achieve compliance."
Both rules are available in the Federal Register at gpoaccess.gov/fr/index.html. Under "Browse the Table of Contents from back issues," click "Go" and select the Aug. 24 and Aug. 25 issues.
--Joseph Goedert
SEP 23, 2009 11:55am ET
Health Data Breach Rules Become Effective
Add Your Comments:
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Most Read
Most Emailed
Twitter
Facebook
LinkedIn
Current Issue
Looking to build better care coordination, health systems are buying physician groups in droves. Making the deal work, however, requires careful management on the I.T. front.
Be the first to comment on this post using the section below.