The Department of Health and Human Services has issued an interim final rule governing notification of breaches of health information by HIPAA-covered entities.
The rule from the HHS Office for Civil Rights is available at hhs.gov/ocr/privacy. It will be effective 30 days after publication in the Federal Register in coming days and includes a 60-day comment period. The rule is mandated under the American Recovery and Reinvestment Act. The Federal Trade Commission recently issued breach notification rule that covers vendors of personal health records and certain other entities not covered under HIPAA (see healthdatamanagement.com/news/PHR-38824-1.html).
The HHS rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.
The rule also includes updated guidance from HHS on how to determine when information is "unsecured" and notification is required under the HHS and FTC breach rules. If the breached data is unusable, unreadable or indecipherable to unauthorized individuals because of certain encryption or destruction measures taken, notification of the breach is not required.
--Joseph Goedert
AUG 20, 2009 10:32am ET
HHS Issues Breach Notification Rule
Add Your Comments:
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Most Read
Most Emailed
Twitter
Facebook
LinkedIn
Current Issue
A major success factor for accountable care organizations will be linking caregivers across the spectrum of care delivery. If history is any indication, that's going to be an industrywide struggle.
Be the first to comment on this post using the section below.