HHS, FTC Issue Breach Notification Rules
| Date Posted: August 20, 2009 |
The Department of Health and Human Services (HHS) Aug. 19 issued an interim final rule requiring health care providers and health plans to alert individuals of unauthorized access to their unsecured electronic protected health information (PHI). The HHS rule came two days after a Federal Trade Commission rule outlining similar requirements for personal health record (PHR) vendors, PHR-related entities and third-party service providers.
The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.
"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.
HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year. The interim final regulations are effective 30 days after publication in the Federal Register.
The regulations will be enforced on an interim basis until Congress can enact new legislation based on recommendations on potential privacy, security and breach-notification requirements contained in a joint HHS-FTC report due by February 2010.
HHS interim final regulations are online at http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf.
FTC interim final regulations are online at http://www.ftc.gov/os/2009/08/R911002hbn.pdf.
For more on the breach notification rules, see the September 2009 issue of Guide to Medical Privacy & HIPAA.
The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.
"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.
HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year. The interim final regulations are effective 30 days after publication in the Federal Register.
The regulations will be enforced on an interim basis until Congress can enact new legislation based on recommendations on potential privacy, security and breach-notification requirements contained in a joint HHS-FTC report due by February 2010.
HHS interim final regulations are online at http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf.
FTC interim final regulations are online at http://www.ftc.gov/os/2009/08/R911002hbn.pdf.
For more on the breach notification rules, see the September 2009 issue of Guide to Medical Privacy & HIPAA.
 |
||||||||||
|
||||||||||
 |
||||||||||
