Interim final regulations were issued on August 24, 2009 by the United States Department of Health and Human Services ("HHS"), implementing an amendment made to the HIPAA privacy regulations by the Health Information Technology for Economic and Clinical Health Act. These amendments made to the HIPAA privacy regulations require "covered entities" and "business associates" to provide notification to affected patients and the federal government of "known" specified breaches of the HIPAA privacy regulations involving unsecured Protected Health Information ("PHI") occurring on or after September 23, 2009.
Several of the subject areas of the regulations include:
- what constitutes "unsecured" PHI subject to the new notification rules, including technologies or methodologies which a covered entity or business associate may employ to cause PHI to be deemed to be "secured" PHI (unusable, unreadable or indecipherable to unauthorized individuals) that is exempt from the new notification rules;
- exceptions to the new notification rules for specified breaches;
- when a covered entity or business associate will be treated as having knowledge or deemed knowledge of a breach of the HIPAA privacy regulations involving unsecured PHI triggering its or their duty to provide notice thereof; and
- the timing, method and content of required notifications to affected patients and HHS for breaches subject to the new notification requirements.