Written by Cynthia and Dianne
New federal breach notification rules go into effect next week for covered entities and their business associates and also for vendors of personal health records.
Covered entities (organizations subject to the HIPAA privacy rule) and their business associates must report breaches of unsecured protected health information in accordance with new rules from the Department of Health and Human Services (HHS) starting Wednesday, September 23, 2009. Unsecured protected health information is information that has not been either encrypted or destroyed in accordance with HHS standards. Note that under the rules, a covered entity may not have to report a breach of unsecured protected health information if, after conducting a risk analysis, it believes in good faith that the unauthorized recipient of the PHI would not reasonably have been able to retain it (for example, if misdirected patient correspondence is returned as undeliverable and is unopened).
The breach notification regulations require prompt notification to affected individuals, as well as to the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches by the business associate.
The HHS regulations were developed in close consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA. The FTC regulations are effective September 24, 2009. The rules are identical with respect to some provisions, similar in others, and completely different in a few others. Those differences can matter because some organizations will be covered by both regulations.
Both the FTC and HHS intend for their regulations’ notices to be combined with the state-required notices, so that a consumer would receive only a single notice. The agencies’ requirements for the content of the notices are practically identical, but the regulations have many differing requirements on a wide range of topics. For example, HHS’ requirements extend to breaches of health information in all formats, including paper, whereas the FTC’s requirements extend only to health information in electronic form. Also remember, there will be different state requirements for notice, some of which (particularly in Massachusetts) will conflict with the FTC/HHS content.
Text of HHS Breach Notification Rule
Text of FTC Breach Notification Rule
Mintz Matrix of State Data Breach Notification Laws