The rule will be effective for breaches discovered on or after 30 days from publication of the rule in the Federal Register. Rule Effective for Breaches Discovered 30 Days From PublicationĪRRA required HHS to issue an interim final rule on the notification requirement within 180 days of the February 17, 2009, enactment date. In addition, if the breach involves 500 or more individuals, the covered entity must immediately give notice to HHS and a prominent media outlet.īusiness associates are also subject to a notification requirement, although they must notify the covered entity rather than the individual.
The American Recovery and Reinvestment Act (ARRA) made several changes to HIPAA, including the addition of a requirement that covered entities give notice to individuals of breaches of unsecured protected health information that compromise the privacy or security of the information. In connection with the rule, HHS also updated its April 17, 2009, guidance specifying technologies and methodologies that render protected health information unusuable, unreadable or indecipherable to unauthorized individuals, and therefore exempt from the notice requirements.īackground: ARRA Adds Breach Notice Requirement to HIPAA The rule refines and narrows key concepts in a manner that will limit the notification obligations of covered entities. On August 19, 2009, the federal Department of Health and Human Services (HHS) issued the interim final rule regarding notification of breaches of unsecured protected health information under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
0 kommentar(er)
