HITECH Act Breach Notification Final Rule Update

The Interim Final Rule for Breach Notification for unsecured Protected Health Information was published on August 24, 2009 in the Federal Register and it was effective from on September 23, 2009. The contents of this Notification are aimed at implementation of Section 13402 of Health Information Technology for Economic and Clinical Health or the HITECH Act that is dedicated at complete protection of a patient’s health information.


Understanding Breach Notification

The Notification essentially requires all covered entities and their business associated to provide notification in case there is unprotected or unsecured handling of PHI (protected health information). The reporting for the same needs to be done in accordance with certain standards set in this niche wherein notices need to be issued by the responsible covered entity or its business associates. The notification provisions are quite similar to those enforced as a part of the Federal Trade Commission (FTC) wherein all vendors or third party service providers that handle personal health records need to abide by regulations set forth as a part of Section 13407 of the HITECH Act.

Review of Breach Notification Requirements

In order to understand the overall public opinion of the Interim Final Rule, the HHS had set a period of 60 days wherein public comments were sought. As a result, the HHS received nearly 120 comments. The HHS reviewed its policy based on this public feedback. With the recommendations incorporated, a Final Rule was charted by the HHS and submitted to the OMB or the Office of Management & Budget for a review on May 14, 2010.

Current Status of Breach Notification Final Rule

At the moment, the HHS has withdrawn its Breach Notification Final Rule from the OMB review. This has been done to allow more detailed considerations and gain a comprehensive perspective into the matter. This is being regarded as critical to ensure that the health information of patients is secured to the maximum extent and all types of unauthorized disclosures are duly addressed. The next version of the Final Rule is expected to be listed in the Federal Register in the near future. Until the new Final Rule is listed, the Interim Final Rule (effective from September 23, 2009) will remain in effect.

To read more in this regard, please visit the following link:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationru...