Feds Issue New HIPAA Data Breach Rules

For health care providers, health plans and other entities -- including business associates of covered entities -- that do not encrypt their health IT data, new regulations require prompt notifications to consumers in the event of a data breach.

The U.S. Department of Health and Human Services has issued new regulations requiring health care providers, health plans and other entities covered by HIPAA (Health Insurance Portability and Accountability Act) to notify individuals when their health information is breached. The breach notifications were part of the American Recovery and Reinvestment Act of 2009 passed earlier this year by Congress.

The regulations require health care providers and other HIPAA-covered entities to promptly notify affected individuals of a breach. In cases involving more than 500 individuals, covered entities are required to also notify the HHS and the media. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis.

The new regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," Robinsue Frohboese, acting director and principal deputy director of the HHS Office of Civil Rights, said in a statement. "These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information."

Entities subject to the HHS and FTC (Federal Trade Commission) regulations that secure health information through encryption or destruction are not subject to the HHS breach notifications.

In conjunction with the HHS regulations, the FTC also has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.