The Department of Health and Human Services has issued an interim final rule governing notification of breaches of health information by HIPAA-covered entities.
The rule from the HHS Office for Civil Rights is available
The HHS rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.
The rule also includes updated guidance from HHS on how to determine when information is "unsecured" and notification is required under the HHS and FTC breach rules. If the breached data is unusable, unreadable or indecipherable to authorized individuals because of certain encryption or destruction measures taken, notification of the breach is not required.