Health Information Management

HHS releases interim final rule for breach notification, secure PHI

HIM-HIPAA Insider, August 25, 2009

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

HHS released an interim final rule regarding breach notification and the acceptable methods for covered entities (CE) and business associates (BA) to encrypt and destroy patient records to prevent breaches of protected health information (PHI).

The American Recovery and Reinvestment Act (ARRA) of 2009 required HHS to issue the final guidance six months after President Barack Obama signed into law Title XIII of the ARRA—the Health Information Technology for Clinical and Economic Health (HITECH) Act.

The breach notification regulations take effect September 19—30 days from the announcement of the final guidance. The regulations include the following:

  • Notice to patients of breaches "without reasonable delay" within 60 days
  • Notice to CEs by BAs when BAs discover a breach
  • Notice to "prominent media outlets" on breaches of more than 500 patient records
  • Notice to "next of kin" on breaches of patients who are deceased
  • Notice to the secretary of HHS of breaches of 500 or more patient records without reasonable delay
  • Annual notice to the secretary of HHS of breaches of fewer than 500 patient records when their PHI is unsecure (which poses a significant financial risk or other harm to the individual)



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular