skip to: page content | links on this page | site navigation | footer (site information)
logo
Your gateway to HCAR breaking news and archived articles.
New and recent articles covering technology for clinicians, including OASIS, point-of-care, training and more.
Management and operational perspectives; finance, PPS and billing; budgeting for technology; reporting and analyzing data.
News from Congress and CMS, states, and RHHIs and other payers.
What’s hot, what’s not; what’s coming and what’s passé; hardware/software news and reviews.
Who’s buying, who’s selling, partnerships, product announcements, mergers and acquisitions among vendors and providers.
News and features about remote electronic monitoring; the products, vendors and users.
Reprint from: Home Care Automation Report    (www.HomeCareAutomationReport.com)
Issue date: 2009-08-26    Article category: Regulatory

Fed issues new HIPAA Data Breach Rules


advertisement
On August 24, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) issued rules for notifying individuals in the event of a breach of their private medical information.
 
Background
The American Recovery and Reinvestment Act of 2009 (ARRA) includes provisions to advance the use of health information technology and strengthen privacy and security protections for health information. Within ARRA, section 13402 Health Information Technology for Economic and Clinical Health (HITECH), includes a requirement that the HHS issue regulations for entities covered under HIPAA (Health Insurance Portability and Accountability Act of 1996) to report breaches of unsecured health information and to update its guidance regarding which technologies and methodologies protect private health information.
 
The Federal Trade Commission has jurisdiction over web-based entities that handle personal health records but are not subjected to HIPAA rules. HITECH also instructs the HHS to submit a report by February 2010 with potential privacy, security and breach-notification requirements for these organizations.
 
HHS Rules
The HHS rules apply to healthcare providers and other organizations covered by HIPAA and refers to breaches of unsecured protected health information--health information that is not secured through HHS-approved technology or methodology. The HHS defines a breach as an unauthorized acquisition, access, use or disclosure of protected health information that compromises the security or privacy of this information.
 
When a breach occurs, the organization must promptly notify those individuals affected. If the breach encompasses more than 500 records, the organization must also report it to HHS and the media. Organizations can report breaches that affect less than 500 records to the HHS once a year.
 
Read the Breach Notification for Unsecured Protected Health Information; Interim Final Rule. 

FTC
Until the HHS submits its report early next year on notification rules for web-based businesses not covered under HIPAA, the FTC has issued interim breach rules, which are the same as the HHS Rules. These rules apply to vendors of personal health records and entities that offer third-party applications for personal health records.
 
Read the FTC Health Breach Notification Rule
 
The FTC also offers a standard form for reporting breaches.
 
The HHS rules will take effect on September 23, 2009.

Contact Us | ©2006 Stony Hill Publishing