The much anticipated "breach notification" rule was recently published by the Department of Health and Human Services (HHS), Office of Civil Rights (OCR). As required by the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the rule adds new specifications for covered entities and business associates, outlining how they must provide notification when "unsecured" protected health information (PHI) has been breached. The HHS rule, combined with the new FTC final rule regarding the breach of unsecured, identifiable personal health records (PHR) from non-covered entities such as vendors and their third-party service providers, ushers in the new era of the privacy and security protections for individuals. Most entities will be subject to only one rule. There are a finite number of entities required to comply with both the HHS and FTC rule, and companies must quickly make sure they are clear on which rules apply to their businesses. HHS worked with the FTC to ensure both sets of regulations were "harmonized." The HHS interim final rule provides covered entities and business associates with a short window in which they can impact the breach notice policy process. Comments on the interim final rules are due on or before October 23, 2009, while comments regarding the information collections requirements are due on or before September 8, 2009. Baker Donelson is currently assisting clients in drafting and submitting comments and can assist you in having your voice heard on these key issues.

Click here for key terms and highlights of the Interim Final Rule.

Click here to review our prior Alert on the HITECH Act.