HHS regulations cover need to notify individuals after breaches of their health information
TUESDAY, Aug. 25 (HealthDay News) -- The U.S. Department of Health and Human Services issued new regulations on Aug. 19 requiring entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals after their health information has been breached.
Under the regulations, health care providers, health plans, and other entities covered by HIPAA must promptly notify any individuals affected by a breach. If the breach affects more than 500 people, the Secretary of Health and Human Services and the media must also be notified. Breaches involving fewer than 500 must also be reported to the secretary annually. The regulations also affect business associates of covered entities.
However, entities affected by these regulations which properly secure health information through encryption or destruction are not required to give notification if this information is breached.
"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information," said Robinsue Frohboese, J.D., the acting director and principal deputy director of the department's Office for Civil Rights, in a prepared statement.