Providers Called to Notify on Breach

The Department of Health and Human Services has issued an interim final rule governing notification of breaches of health information by HIPAA-covered entities.

The rule from the HHS Office for Civil Rights is available here. It will be effective 30 days after publication in the Federal Register in coming days and includes a 60-day comment period. The rule is mandated under the American Recovery and Reinvestment Act. The Federal Trade Commission recently issued a breach notification rule that covers vendors of personal health records and certain other entities not covered under HIPAA.

The HHS rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.

The rule also includes updated guidance from HHS on how to determine when information is "unsecured" and notification is required under the HHS and FTC breach rules. If the breached data is unusable, unreadable or indecipherable to authorized individuals because of certain encryption or destruction measures taken, notification of the breach is not required.