HHS issued an interim final breach notification rule today, which implements provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act included as part of the stimulus bill. The regulation requires covered entities to notify individuals when their health information is breached. These entities are also required to notify the Secretary of HHS and the media in cases where a breach involves more than 500 individuals. If less than 500 individuals are involved, entities are required to report breaches to the Secretary of HHS on an annual basis. Business associates are also required to report breaches to covered entities who, in turn, will notify the appropriate individuals.

The rule also contains an update to earlier guidance issued by HHS identifying encryption and destruction as the methodologies and technologies that result in protected health information becoming unusable, unreadable, or indecipherable to unauthorized individuals.

Interim Final Rule: http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf