The Health Information Technology for Economic and Clinical Health Act ("HITECH Act")—part of the American Recovery and Reinvestment Act of 2009—includes rules and regulations that will soon expand HIPAA requirements for covered entities and business associates, and create new obligations for vendors of personal health records ("PHR") and related entities.
Starting September 23, 2009, the Department of Health and Human Services (HHS) will subject covered entities and business associates regulated by HIPAA to new breach notification requirements concerning protected health information ("PHI"). Specifically, when a covered entity discovers a breach of unsecured PHI, it will be required to notify each affected individual of the breach, as well as the Secretary of HHS. For a breach involving more than 500 residents of a state or jurisdiction, a covered entity will also have to notify the media about the breach. A business associate will need to notify a covered entity of any breach of unsecured PHI it discovers as well.
HHS defines "breach" as "the acquisition, access, use, or disclosure of protected health information" in a manner that violates the HIPAA Privacy Rule or Security Rule; and "unsecured" PHI as PHI that is "not rendered unusable, unreadable, or indecipherable to unauthorized individuals."1 "Covered entity," "business associate," and "protected health information" retain their current HIPAA definitions.
The FTC will be imposing similar requirements upon vendors of PHR and other related entities that are not typically regulated by HIPAA as well. Beginning September 24, 2009, these vendors will have to notify consumers of any breach of unsecured PHR identifiable health information that they discover, and third-party service providers will have to notify their vendors of such breaches. In most cases, however, covered entities and business associates that fall under HIPAA will be subject to HHS's, not FTC's, breach notification rules.
While the breach reporting obligations technically become effective on September 23 and 24, HHS and FTC have stated that they will not impose sanctions for noncompliance with the new requirements until February 2010. HHS and FTC expect entities affected by the rules and regulations to use this grace period to achieve compliance with the new requirements.