On Wednesday, August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued new regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to notify individuals when their health information is breached, implementing provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH) passed in early 2009.

As stated in our recent publication titled "New HIPAA Federal Breach Notification Requirements, July 17, 2009," there was previously no obligation to notify affected individuals of a breach of privacy or security of protected health information. Now, covered entities must notify individuals upon discovering a breach of unsecured protected health information (PHI), and, further, a business associate must notify the affected covered entity upon discovery of the business associate's breach. Please see the above-mentioned publication for a summary of the new notice requirements.

What entities subject to the new law are required to do now to comply:

  • Develop and document policies and procedures for responding to a breach of PHI
  • Train workforce members on how to respond to a HIPAA security breach  
  • Have sanctions procedures in place for workforce members who fail to comply with these policies and procedures  
  • Permit individuals to file complaints regarding these policies and procedures or a failure to comply with them  

The policies and procedures should outline all aspects of how the entity will respond should a breach occur. Specifically, the policies and procedures should allocate notification responsibilities to the appropriate employees; provide a step-by-step policy for how to timely react in the case of a breach; provide sample notification materials to affected individuals, HHS, and the media; provide procedures for investigating and mitigating the damages of the breach; and much more.

The new law becomes effective September 23, 2009. Implementing new policies and procedures and conducting workforce training now will prepare an entity subject to these regulations to comply with the law in the event of a breach, and will eliminate the possibility of failing to timely meet the notification requirements and assist the entity in mitigating the damaging effect of a breach. HHS can impose civil penalties up to $1.5 million per violation per year for non-compliance with these new laws. Do not delay in implementing a program to comply with these new requirements.