HHS Issues HIPAA Security Breach Notification Rules
August 25, 2009On August 24, 2009, the Department of Health and Human Services (HHS) issued interim final rules on HIPAA’s new security breach notification requirement, which was adopted under the Health Information Technology for Economic and Clinical Health (HITECH) Act in February as part of the stimulus bill.
The HITECH Act made significant changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, including imposing a new requirement that covered entities notify individuals when their “unsecure” protected health information (PHI) is breached. The notice must be provided to individuals within 60 days after discovery by first class mail (or email if specified as a preference by the individual). If the breach is large enough (generally, involving 500 people), the covered entity must notify the media and HHS, which will list the covered entity on its website.
The new rules are effective 30 days after publication in the Federal Register, or September 23, 2009 (although HHS did adopt a nonenforcement policy through 2/22/10). Comments are due October 23, 2009.
The attached summary details the new rules, including what steps health plans and health care providers should be taking. Also attached are the rules themselves.
