An interim final rule released last week by the U.S. Department of Health & Human Services (HHS) requires health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to provide notice to individuals, HHS and, potentially, the media when unsecured protected health information is breached. The Federal Trade Commission (FTC) also issued a companion breach notification final rule that applies to vendors of personal health records and certain others not covered by HIPAA. These regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009.
Under the HHS rule, a breach occurs when the unauthorized acquisition, access, use or disclosure of protected health information (PHI) compromises the security or privacy of such information. Upon discovery of a breach, health care providers and other HIPAA covered entities must notify affected individuals without unreasonable delay but no later than 60 calendar days from the date of discovery. If a breach affects, or is believed to affect, 500 or more residents in a particular state or jurisdiction, additional notice must be provided to prominent media outlets serving that area. If a breach involves 500 or more individuals, the covered entity also must immediately notify HHS. All other breaches may be logged and reported to HHS annually. Business associates also have an obligation to report breaches to the affected covered entity so that the covered entity can then properly notify individuals, HHS and the media.
The HHS interim final regulations are scheduled to appear in the Federal Register on August 24, and will be effective 30 days afterwards. Covered entities and business associates should begin updating policies and procedures, training and existing business associate agreements to comply with the new rule. Penalties for HIPAA violations were increased last February by the HITECH Act, which also enhanced federal and state government HIPAA enforcement capabilities.
The FTC issued companion breach notification regulations that apply to vendors of personal health records and other entities not covered by HIPAA. The breach notification procedures are similar to the HHS rule, but violations will be treated as unfair or deceptive acts or practices under the Federal Trade Commission Act. These rules apply to breaches that are discovered on or after 30 days from the rule’s publication date in the Federal Register, which has yet to be announced. To give companies time to come into full compliance with the FTC rule, the FTC will begin enforcement 180 days after publication.