Wednesday, August 26, 2009

HHS Releases HITECH Act Breach Notification Rule

HHS issued regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. On Wednesday August 19, the Office for Civil Rights of the Department of Health and Human Services (the "OCR") posted a copy of its Interim Final Rule for Breach Notification for Unsecured Protected Health Information (the "Interim Rule"), implementing Section 13402 of the HITECH Act (the "Act"). As an Interim Final Rule, there is a sixty day comment period after publication in the Federal Register. Comments may result in further changes or clarifications. This new Alert covers the highlights of the Interim Rule and is focused on the comments and analysis of the OCR that accompanied the Interim Rule.
These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
The regulations, developed by OCR, require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
“This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information,” said Robinsue Frohboese, Acting Director and Principal Deputy Director of OCR.
The regulations were developed after considering public comment received in response to an April 2009 request for information and after close consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.
To determine when information is “unsecured” and notification is required by the HHS and FTC rules, HHS is also issuing in the same document as the regulations an update to its guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information. This guidance will be updated annually.http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html

No comments: