HHS rules providers, payers, must notify of health info breaches

By Mary Mosquera
Wednesday, August 19, 2009

The Health and Human Services Department published a rule Aug. 19 that requires healthcare providers and health plans to alert patients to unauthorized access of their health information. The regulations apply to physicians and their offices, hospitals, insurance plans and other healthcare organizations covered by the Health Insurance Portability and Accountability Act (HIPAA).

Healthcare providers and other groups covered by HIPAA must promptly notify affected persons of a breach of their protected health data, as well as the HHS secretary and the media in cases where a violation affects more than 500 people. Healthcare groups also must report annually to HHS breaches that affect fewer than 500 people. The regulation also requires that business associates of organizations that are governed by HIPAA inform the covered group of unauthorized use or access of health information.  

The rule makes sure that HIPAA-covered healthcare organizations and their business associates are accountable for properly safeguarding unsecured private information in their care, said Robinsue Frohboese, acting director and principal deputy director of HHS’ Office for Civil Rights, which has responsibility for the enforcement of HIPAA privacy and security.

“These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information,” Frohboese said.

The Federal Trade Commission issued companion rules Aug. 17 that apply to online businesses not governed by HIPAA that provide personal health records.

Congress ordered the breach notification regulations as part of the health IT provisions of the stimulus law. It is important that the HHS and FTC rules be consistent with each other to fully protect individuals.

HHS also updated its guidance that specified encryption software and destruction as the technology and method that make protected health information unusable or unreadable to unauthorized individuals trying to access it. Groups that are subject to the HHS and FTC regulations that secure their health information as directed by the guidance do not have to notify in the event of a breach of such information.  The guidance will be updated annually.

HHS developed the 121-page rule after considering public comments it received in response to an April request for information and after consulting with the FTC. The HHS interim final regulations at www.hhs.gov/ocr/privatcy are effective 30 days after publication in the Federal Register and include a 60-day public comment period.



Please use the space provided below to write your comments to our editorial staff. We will respond to your comments and input via e-mail.

Your Name: (optional)


Your Email: (optional)


Your Location: (optional)


Comment:
 
 
  

Subscribe to Government Health IT

Cover Story

magazine coverCover Story
Uncle Sam Wants Usability
Feds say usability standards are essential for accelerating health IT adoption and ensuring safety
Read more

NEW enhanced Digital Edition of GHIT

eSeminar

Mitigate Communication Breakdowns in VA Healthcare Facilities to Improve Patient Flow for a Better Patient Experience

August 31, 2010
12:00 Noon Eastern / 11:00 AM Central / 10:00 AM Mountain / 9:00 AM Pacific

Communication breakdowns in hospitals are a major cause for sentinel events. Veterans Affairs hospitals, like most care facilities, primarily rely on multiple, inefficient tools for communications including pagers, overhead paging, and desk phones. With the deployment of an instant communications solution, healthcare workers have more time with patients, experience better patient flow, and create a better patient experience for veterans and their families. In this one-hour webinar you will learn how communications systems restore the human connection to healthcare with instant communication at the critical points of care.

Register online >>