The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), generally requires employersponsored health plans and their business associates that handle protected health information (PHI) to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, when there is an unauthorized disclosure of the individuals’ unsecured PHI. HHS announced in August 2009 that it would not impose sanctions for any failure to provide the notice for breaches discovered before February 22, 2010, but that date has now passed. For more information about the breach notification rule, see the Hogan & Hartson privacy blog.2