New Rule Mandates Disclosure if Health Data Lost
Health care providers, health plans, and others covered by the Health Insurance Portability and Accountability Act soon must notify individuals whose health information was breached, under today's HHS rule.
Health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act must notify individuals when their health information is breached, under a rule issued Aug. 20 by the U.S. Department of Health and Human Services and set to take effect in 30 days. The regulations, developed by the HHS Office for Civil Rights, say prompt notification must be made to the individuals, and it must be made to the HHS secretary and the media if more than 500 individuals are affected. Breaches affecting fewer than 500 individuals will be reported annually to the secretary.
The rule implements provisions of the Health Information Technology for Economic and Clinical Health Act, which was passed as part of the American Recovery and Reinvestment Act of 2009.
"This new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information," said Robinsue Frohboese, acting director and principal deputy director of the Office for Civil Rights. In the same document as the regulations, HHS updated its guidance spelling out encryption and destruction as the technologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals; using these properly relieves entities of having to notify if there is a breach of such information. HHS said it will update the guidance annually.