HIPAA Breach Notice Rules to Take Effect
The U.S. Department of Health and Human Services (HHS) has issued new regulations requiring health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information (PHI) is breached.
The rules take effect Sept. 23, 2009, though a six-month grace period means that HHS will not impose penalties for breaches discovered before Feb. 22, 2010.
The regulations require health care providers and other HIPPA-covered entities to “promptly” notify individuals affected by a data breach in addition to the HHS Secretary and the media in cases where more than 500 individuals are affected, according to HHS. Breaches affected fewer than 500 people must be reported to the HHS Secretary annually. Business associates of covered entities must notify the covered entity of data breaches at or by the business associate.
“This new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care,” says Robinsue Frohboese, acting director and principal deputy director of the HHS Office of Civil Rights.