The Department of Health and Human Services (HHS) recently published guidance on technologies and methodologies to secure health information, as required by the American Recovery and Reinvestment Act of 2009 (ARRA). The guidance provides steps that entities can take to secure personal health information in compliance with new ARRA requirements for the Health Insurance Portability and Accountability Act (HIPAA) and establishes the trigger for sending patients a notice that their data has been compromised. This guidance is related to two "breach notification" regulations, one to be issued by HHS and the other recently published by the Federal Trade Commission (see below). The HHS regulations will address covered entities (such as hospitals and other providers) while the FTC regulations apply to vendors of personal health records and other organizations not covered by HIPAA. The guidance must be updated annually. In addition to this guidance, HHS has also issued a request for information (RFI) soliciting public comment on the breach notification provisions of ARRA to inform future rulemaking and updates to the guidance. Once published in the Federal Register, the guidance and RFI will also be available for public comment. For more information, please click here.