Final Interim Rule Issued on HIPAA Breach Notification

On August 24, the Department of Health and Human Services (HHS) issued final rules on the new interim HIPAA regulations about notification following a breech of unsecured protected health information. This new rule is required by the HITECH ACT, as part of the American Reinvestment and Recovery Act (ARRA), enacted on February 17, 2009. The interim final rule goes into effect on September 23, 2009.

The rule requires that covered entities under the Health Insurance Portability and Accountability Act (HIPAA) and their business associates provide notification in the case of breaches of unsecured Protected Health Information (PHI). If a breach of unsecured PHI occurs, offices must notify each individual whose information may reasonably believed to have been accessed, acquired, used or disclosed. If the breach involves more than 500 individuals, offices must also notify the media and the Secretary of HHS who will post information about the breach on the HHS website. Business associates are required to notify the covered entity who will then follow the notification process. Content guidelines for what to include in the notification are outlined in the interim final rule.

The rule provides guidance for determining what a breach is, and if breached PHI is secured or unsecured. Secure PHI, whether paper or electronic, is "that which is rendered unreadable by method of encryption or destruction". The new notification rule only applies to breaches of unsecured PHI. The rule does not require offices to secure all PHI. According to the rule, "This guidance does nothing to modify a covered entity's responsibilities with respect to the Security Rule nor does it impose any new requirements upon covered entities to encrypt all protected health information."

Medical offices and their business associates must comply with this rule as of September 23, 2009. This means simply that if a breach of unsecured PHI occurs on or after September 23, 2009, the new notification rules must be followed. The commentary provided with the rule states that this deadline, while only 30 days away from its date of issue, is thought to be reasonable because most states already have similar notification requirements in place. While offices are expected to comply in September, no sanctions will be imposed until February 22, 2010.