There have been several significant developments regarding the new HIPAA rules in the past few days:  

  • On August 14, 2009, the Department of Health and Human Services (HHS) published a list of regional office privacy advisors. The HIPAA provisions of the American Recovery and Reinvestment Act required HHS to designate regional office privacy advisors to “offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to Federal privacy and security requirements for protected health information.”  
  • On August 17, 2009, the FTC published a Final Rule providing new regulations regarding notice of breach requirements for vendors of personal health records. Note: These regulations apply only to such vendors and their third party service providers -- see the HHSissued rules discussed in the bullet below regarding the new, similar regulations applicable to covered entities.  
  • On August 24, 2009, HHS published an Interim Final Rule providing new regulations regarding the HIPAA notice of breach requirements. The new regulations retain the definition of “unsecured protected health information” established by the previously issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. However, the new regulations create a useful “harm threshold” and outline how to assess whether or not a breach of unsecured protected health information passes this threshold. Covered entities must comply with the new notice of breach rules starting September 23, 2009. Covered entities should begin immediately to prepare in this short period to be ready to comply with the new rules; however, HHS announced that it will refrain from imposing sanctions for failure to make such notifications until 180 days from publication of the new rules (i.e., until February 22, 2010). Note that HHS has determined it has grounds to waive the notice-and-comment requirements of the Administrative Procedure Act and to proceed with these regulations in an Interim Final Rule. HHS is accepting comments to the regulations for 60 days following publication, but the regulations should be considered final as now published. HHS had issued an announcement and press release regarding these new regulations on August 19, 2009.