{banner image}

Questions About This Publication?
Contact

Practice Areas

New HITECH Act HIPAA Guidance

May 12, 2009

The FTC and HHS have issued the first set of HIPAA privacy/security guidance under the new HITECH Act requirements.  The new guidance relates to the security breach notification requirement, which will go into effect in September 2009 (the exact date will depend on the date final regulations are issued). 

Under this requirement, health plans and personal health record (PHR) vendors must provide individual notification if there has been a security breach of protected health information (PHI).  Notification must be provided to individuals in writing within 60 days of discovery of the breach.  If the breach involves more than 500 individuals, notice also must be made in prominent media outlets and to the Secretary of HHS (or to the FTC for PHR vendors).

1.  HHS Guidance - "Secure PHI" - HHS issued guidance setting out what technologies will be considered "secure" PHI.  If information is "secure," it will be exempt from the security breach notification requirement.  Generally, HHS says information is secure if it has been encrypted or destroyed according to specific standards.  The attached article describes this guidance in more detail, along with the specific questions on which HHS has requested comment.  Comments on the HHS "Secure PHI" guidance are due May 21, 2009.

2.  FTC Proposed Regulations - PHR Vendors - The FTC issued proposed regulations describing the specific notice requirements applicable to PHR vendors.  HHS is required to issue similar regulations that will apply to health plans.  While the FTC regulations do not apply directly to health plans, we would expect the two sets of regulations to at least be consistent.  The attached chart describes the FTC proposed regulations and examples/further guidance from the Preamble to the regulations.  The attached chart also lists the specific areas in which FTC requested comment.  Comments on the FTC proposed regulations are due June 1, 2009.

A timeline of future regulations/guidance also is attached.

HHS Guidance
Breach Notification Chart
HITECH Act (H.R.1) Timeline