HITECH PHI Breach Notification Rulings
Hospitals and medical centers now have even more reason to be concerned about privacy and security as new rulings released last week go into effect. Healthcare CIO’s need to heighten the attention they place on the protection of sensitive patient information as it pertains to access, storage and transmission. This will need to be done in conjunction with their new focus on “meaningful use” which includes, CPOE and EMR upgrades and installations, clinical documentation, quality measures and interoperability.
On Wednesday August 19th, the Department of Health and Human Services (HHS) issued their “interim final” ruling that requires healthcare providers and health plans to alert individuals of unauthorized access to their unsecured electronic protected health information (PHI). This came just two days after a Federal Trade Commission (FTC) rule was released which outlined similar requirements for personal health record (PHR) vendors, related PHR entities and third-party service providers.
Both of these interim rulings have been mandated by the very stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities. Try saying that fast five times!
The HHS and FTC worked collaborated to make sure that the rules were in sync and written in such a way that they complimented one another. All entities that are covered by either of these rulings have within 60 days to notify any individuals whose information was accessed without the proper authorization. If a large breach occurred, that falls within the PHI rules, and 500 or more people involved, then those entities must alert the press and media and then either HHS or FTC, depending on which of the rulings they are subject to. If the size of the breach involved less than 500 people, those entities must record and log of the incident and then contact and submit the breach findings to either HHS or FTC at the end of the year. These “interim final” regulations will be in effective for 30 days after publication in the Federal Register on August 24th.
The HHS “interim final” regulations are available at http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf.
The FTC “interim final” regulations are online at http://www.ftc.gov/os/2009/08/R911002hbn.pdf.