2009-10-08
On August 19, 2009, the Department of Health and Human
Services (DHHS) issued an interim final rule, "Breach
Notification for Unsecured Protected Health Information." The rule
was released to implement provisions in the Health Information Technology for
Economic and Clinical Health Act (HITECH). HITECH requires that patients
are to receive notification if their personal health information is
breached. This rule clarifies several issues related to the notification-of-breaches requirement.
- What types of breach
triggers a notification requirement?
- The rule states that
individuals need to receive a notice only if the breach results in harm
to the patient.
- In some circumstances,
unauthorized disclosure of information may occur but it would not be considered
a breach. An example of this would be if the name of a patient was
inadvertently disclosed to an unauthorized employee of the provider.
- How are patients to be
notified of a breach notification?
- If a breach occurs,
physicians should send written notification via first class mail to each
individual affected by the breach.
- If a breach occurs for
more than 500 individuals, the notice must also be provided to major
media outlets serving the relevant area.
- Details on alternative
means of notification are provided when an individual's address is
unknown.
In response to the rule, on October 1 congressional leaders
sent a letter
to Health and Human Services Secretary Kathleen Sebelius expressing concern that the bar that was
set to trigger a notification was too high and was inconsistent with congressional intent. Congressional leaders requested that the Secretary
revise or repeal the harm standard provision included in the interim final
rule. At this time the impact of this letter is unclear.
Although the rule goes into effect 30 days after it is published, DHHS will use the enforcement discretion that is
available to them and not pursue violations before 180 calendar days from
publication of this rule. The complete rule is available online.
back to top
