HHS issues notification rule in patient data breaches

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon

New regulations requiring healthcare providers, health plans and other HIPAA-covered entities to notify an individual when their health information is breached were issued Wednesday by the U.S. Department of Health and Human Services (HHS).

The regulations, developed by the HHS Office for Civil Rights (OCR), require providers and other HIPAA-covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis.

“This new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care,” said Robinsue Frohboese, acting director and principal deputy director of OCR. “These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of EHRs and electronic exchange of health information.”

HHS said it developed the regulations after considering public comment received and after consultation with the Federal Trade Commission (FTC).

To determine when information is “unsecured” and notification is required, HHS is issuing an update to its guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals.

“Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information,” the guidance stated.

The department said this guidance will be updated annually.

The HHS interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.

The breach notification regulations implement provisions of the Health IT for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act (ARRA) of 2009.