Feds Issue New HIPAA Data Breach Rules
For health care providers, health plans and other entities -- including business associates of covered entities -- that do not encrypt their health IT data, new regulations require prompt notifications to consumers in the event of a data breach.The U.S. Department of Health and Human Services has issued new regulations requiring health care providers, health plans and other entities covered by HIPAA (Health Insurance Portability and Accountability Act) to notify individuals when their health information is breached. The breach notifications were part of the American Recovery and Reinvestment Act of 2009 passed earlier this year by Congress.
The regulations require health care providers and other HIPAA-covered entities to promptly notify affected individuals of a breach. In cases involving more than 500 individuals, covered entities are required to also notify the HHS and the media. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis.
Entities subject to the HHS and FTC (Federal Trade Commission) regulations that secure health information through encryption or destruction are not subject to the HHS breach notifications.
In conjunction with the HHS regulations, the FTC also has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.