ARRA - HITECH: Health Care Information Breach Notification Regulations Now In Effect

Monday, 5 October 2009
Have you had a health data security breach? Do you know what a health data breach is? Are you required to notify individuals impacted by the breach? Do you have to notify federal agencies of such breach?

Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.

The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.

The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.

OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.

Below are links to the full regulation text:
  • OCR Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information 74 Fed. Reg. 19006 (April 27, 2009).
  • Federal Trade Commission: Health Breach Notification Rule: Final Rule -- Issued Pursuant to the American Recovery and Reinvestment Act of 2009 -- Requiring Vendors of Personal Health Records and Related Entities To Notify Consumers When the Security of Their Individually Identifiable Health Information Has Been Breached (16 CFR Part 318) 74 Fed. Reg. 42962 (Aug 25, 2009). The FTC has also issued a Breach Notification Form.
UPDATE (July 29, 2010):

Today the OCR/HHS issued a statement that the OCR Interim Final Rule listed above and published on August 24, 2010, is being withdrawn from the Office of Management and Budget (OMB). The full notice published on the OCR website states:

Breach Notification Final Rule Update

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.