On August 19th, HHS issued new rules requiring HIPAA covered entities to notify individuals when their health information is breached.  The breach notification rules implement provisions of the HITECH Act, passed as part of the federal stimulus legislation in February.  A full copy of the new rules is available here.

The breach notification requirements will become effective on September 23rd, 2009.

Significant changes to HIPAA include:

  • Notice must be provided to individuals within 60 days from discovery of a breach.
  • The notice must contain detailed elements specified in the rules.
  • For breaches involving more than 500 individuals, the notice must notify “prominent media outlets”, as well as HHS, within 60 days.
  • All breaches must be reported to HHS on an annual basis. 
  • Covered entities must change policies and procedures as necessary to comply with these new rules.
  • Workforce members must be trained about the impact of the new data breach requirements.

Note that the policy development and training requirements apply to all covered entities. 

In addition, the regulations contain updated guidance on what it will take to adequately secure (whether through encryption or otherwise) health information in order to minimize the impact of the notification rules. 

Health care organizations need to move quickly to ensure compliance with these complex new rules in an extremely compressed time frame.