New HHS rule requires providers, health plans to notify consumers of privacy breaches

What used to be a state by state matter--in which a patchwork of laws offered some limited protection when their health data was breached--has now become a national standard.

HHS has issued new rules, required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which require healthcare providers, health plans and other entities covered by HIPAA to notify consumers when their health information is breached.

The regulations, which were developed by HHS's Office for Civil Rights, require providers and other HIPAA-covered entities to promptly let individuals know when their data has been breached. What kicks things up a notch is that when a breach affects more than 500 individuals, the provider or health plan has to tell HHS and the media when the breach occurs.

As part of the same announcement, HHS notes that it's developed new standards which apply to vendors who sell personal health records and others not covered by HIPAA. It issued regs giving more information on when information is considered "unsecured" and the entitities must notifiy the pubic. Entities that fall under these categories who fall into the HHS and FTC requirements get a free pass on notification if they meet the two agencies' requirements for having made the health information "unusuable, unreadable or indecipherable" as per their standards.

Actually, your editor would like to suggest that defining ways to force PHR operators, such as Google and Microsoft, to meet HIPAA or HIPAA-like standards is big, big news, as it could have a big influence on how that industry shapes up.

To learn more about these rules:
- read this HHS press release

Related Articles:
How will California's tougher-than-HIPAA privacy laws impact U.S.?
Stimulus bill sets new HIPAA rules, but will it make a difference?
HIPAA privacy rules not enough, IOM says