The Office for Civil Rights of the U.S. Department of Health and Human Services issued new federal regulations on August 19, 2009 that requires health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their “unsecured” health information is breached.

These regulations, referred to as the “Breach Notification” regulations, implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA, and commonly referred to as the Stimulus Act).

The Breach Notification regulations require health care providers and other entities subject to HIPAA to promptly notify affected individuals of a breach, as well as the Department of Health and Human Services (HHS) and the media in cases where a breach affects more than 500 individuals. The regulations also require business associates as defined in the HIPAA regulations to notify the covered entity of breaches by the business associate.

The regulations were issued two days after the Federal Trade Commission (FTC) issued companion breach notification regulations (on August 17, 2009), which apply to vendors of personal health records and certain other entities who are not covered by HIPAA.

To determine when information is “unsecured” and notification is required by the Breach Notification regulations, the OCR also included in the regulations an update to its guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. An important aspect is that entities covered by the Breach Notification regulations issued by OCR and the FTC subject that secure health information as specified by the guidance through encryption or destruction are relieved from the notification requirements in the event of a breach of such information. The OCR stated that the guidance will be updated annually.

These Breach Notification “interim final” regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. Additional information may be obtained on the HHS Office for Civil Rights web site.