HHS sets rules for PHRs, plans and providers to notify consumers of privacy breaches

What used to be a state-by-state matter--in which a patchwork of laws offered some limited protection when their health data was breached--now has become a national standard.

HHS has issued new rules, required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, that force healthcare providers, health plans and other entities covered by HIPAA to notify consumers when their health data is breached.

The regulations, which were developed by HHS's Office for Civil Rights, require providers and other HIPAA-covered entities to promptly let individuals know when their data has been breached. What kicks things up a notch is that when a breach affects more than 500 individuals, the provider or health plan has to tell HHS and the media when that breach occurs.

As part of the same announcement, HHS notes that it's developed new standards that apply to vendors who sell personal health records, and others not covered by HIPAA. It issued regs giving more information on when information is considered "unsecured," and the entities must notify the pubic. Entities that fall under these categories who fall into the HHS and FTC requirements get a free pass on notification if they meet the two agencies' requirements for having made the health information "unusable, unreadable or indecipherable" as per their standards.

Actually, your editor would like to suggest that defining ways to force PHR operators--such as Google and Microsoft--to meet HIPAA or HIPAA-like standards is big, big news, as it could have a heavy influence on how that industry shapes up.

To learn more about these rules:
- read this HHS press release

Related Articles:
How will California's tougher-than-HIPAA privacy laws impact U.S.?
Stimulus bill sets new HIPAA rules, but will it make a difference?
HIPAA privacy rules not enough, IOM says

Post a comment