Health Care Firms Must Notify Individuals If Data Is Breached

The federal government has issued new regulations requiring health care providers and health plans to notify individuals when their health information is breached.

The rules, issued by the U.S. Department of Health and Human Services (HHS), cover any entity that comes under the Health Insurance Portability and Accountability Act (HIPAA).

These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The regulations require health care providers and other HIPAA entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis.

The regulations also require business associates of HIPAA covered entities to notify those entities of breaches they may have caused.

“This new federal law ensures that covered entities and business associates are accountable to the HHS and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information,” said Robinsue Frohboese, acting director and principal deputy director of OCR.

The regulations were developed after consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.

The HHS interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.

Topics Legislation