The HITECH Act data breach notification provisions do add substantial complexity for health insurers and other HIPAA covered entities and business associates. The HHS Rules just issued that clarify how organizations must determine whether a data breach incident requires notification, or not, require the organization to carry out a “risk assessment” for every incident in order to make a determination as to whether the affected individuals are exposed to some level of “harm”. Since the law isn’t pre-emptive, an organization would have to make a notification determination not just based on the HHS Rules for HITECH, but also based on the laws for each state jurisdiction involved.
The HITECH Act data breach notification provisions do add substantial complexity for health insurers and other HIPAA covered entities and business associates. The HHS Rules just issued that clarify how organizations must determine whether a data breach incident requires notification, or not, require the organization to carry out a “risk assessment” for every incident in order to make a determination as to whether the affected individuals are exposed to some level of “harm”. Since the law isn’t pre-emptive, an organization would have to make a notification determination not just based on the HHS Rules for HITECH, but also based on the laws for each state jurisdiction involved.