HHS Issues Regs on HIPAA Breach Notifications
Business Insurance reports that the regulations issued August 19 implement provisions of the Health Information Technology for Economic and Clinical Health Act, which passed as part of the American Recovery and Reinvestment Act of 2009. The regulations require health care providers and other HIPAA-covered entities to promptly notify affected individuals, the HHS secretary, and the media when the breach affects more than 500 individuals, according to the news report.
Breaches affecting fewer than 500 individuals must be reported to the HHS secretary annually. Business associates of covered entities are also required to notify the covered entity of breaches at or by the business associate.
Alison Schaap, a Chicago-based legal consultant with Hewitt Associates Inc. told Business Insurance employers are “going to have to look at their existing polices, what needs to change in terms of how they provide the required notification to individuals, and what updates they need to make” to their business associate agreements “so they can get the necessary information within the required time frame to provide notification to individuals in the event of a breach of unsecured protected health information.”