Regulatory Update: HITECH’s Security Breach Notification Requirements
April 22, 2009
This White Paper discusses guidance issued by the U.S. Department of Health and Human Services under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the American Recovery and Reinvestment Act of 2009, which requires covered entities, business associates, vendors of personal health records (PHR) and related entities to notify individuals when their unsecured protected health information and PHR identifiable health information is subject to a breach of security. The guidance describes what is considered "secure" protected health information for these purposes. The Federal Trade Commission has also published a Federal Register notice seeking public comment on a proposed rule that would require vendors of PHRs and related entities to notify individuals when the security of their identifiable health information is breached. These two pronouncements represent the beginning of a series of proposed and interim final regulations to be issued pursuant to the HITECH Act, and the industry should anticipate more regulations in the near future.
Please click here to view the entire White Paper in Adobe PDF format.
(Adobe Acrobat Reader required, available for free download here)
