The new HHS Rule implements the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which was included as part of the Recovery Act. HITECH mandates that Covered Entities and their business associates provide notification to affected patients when there is a “breach” of “unsecured” protected health information. While there are nuances and exceptions that may apply, a “breach” generally occurs anytime there is an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.” What constitutes “unsecured” protected health information is a more technical question. Essentially, it means “protected health information that is not secured through the use of a technology or methodology” that renders protected health information “unusable, unreadable, or indecipherable to unauthorized individuals.” Depending on the nature of the breach, the HHS Rule may require notice to affected patients, the Secretary of HHS, and the media. The HHS Rule also outlines the specific content within notifications, such as a description of what happened, the type of information involved, steps individuals should take to protect themselves from harm, and contact information to learn more information.
Register Now As you are not an existing subscriber please register for your free daily legal newsfeed service.Register
If you have any questions about the service please contact firstname.lastname@example.org or call Lexology Customer Services on +44 20 7234 0606.
The HHS Rule: breach notification for unsecured protected health information
If you are interested in submitting an article to Lexology, please contact Andrew Teague at email@example.com.
Senior Patent Counsel
Royal DSM NV