The U.S. Department of Health and Human Services (HHS) announced today in a News Release that it has issued new regulations requiring health care providers, health plans, and other entities (e.g., now also Business Associates) covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, and in some instances the media and HHS, in the event of a "security breach" of "unsecured" protected health information (PHI). Yesterday, the FTC also issued a Press Release that it finalized its final rule on security breach notification, which will apply to vendors of personal health records. Both HHS’ and FTC’s “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Both sets of regulations are effective 30 days after publication in the Federal Register (which has not occurred just yet), but the HHS press release indicates that its rule will includes a 60-day public comment period. However, the HITECH Act specifies that compliance with breach notification requirements set forth in the HITECH Act (e.g., Sections 13401-13402) go into effect with respect to breaches that are discovered on or 30 days after the date upon which the publication of the interim final rules. Therefore, those required to comply with such provisions in the HITECH Act should be prepared to comply with the HITECH Act’s security breach notification requirements by some time towards the end of September.
Click here to link to a copy of the HHS’ Interim Final Breach Notification Rule.