HHS has issued an interim final rule, which takes effect in 30 days, regulating when and how patients must be notified if their healthcare information has been exposed in a security breach by hospitals, physician offices and other healthcare organizations.
The new rule is part of heightened privacy and security protections under the American Recovery and Reinvestment Act of 2009, or stimulus law. It is a companion to regulations released Monday by the Federal Trade Commission covering breaches involving vendors of personal health-record systems and certain other associated businesses not covered by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
The new HHS rule was published in the Federal Register Wednesday, starting the 30-day clock toward its effective data. Simultaneously, HHS also opened a 60-day public comment period on the rule.
Both HHS and the FTC issued drafts of their proposed rules and opened those up for public comment in April.
Accompanying the interim final rule, HHS also issued a “guidance” specifying how encryption and other methodologies might render protected information under HIPAA “unusable, unreadable or indecipherable” as described in the stimulus law, creating, in effect, a safe harbor for providers from certain breach notification provisions. According to an HHS statement, “Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.”