“This new federal law ensures that covered entities and business associates are
accountable to the Department and to individuals for proper safeguarding of the
private information entrusted to their care. These protections will be a
cornerstone of maintaining consumer trust as we move forward with meaningful use
of electronic health records and electronic exchange of health information,”
said Robinsue Frohboese, Acting Director and Principal Deputy Director of OCR.
(HHS Press Release)
Under the new rules, businesses must immediately notify individuals of a breach, as well as the HHS (or the FTC) and the media when a breach affects more than 500 individuals. This new notice requirement is designed to help consumers make informed decisions when their health information is released to unauthorized users, while also prompting companies to enhance security. Businesses are also required to update their HIPAA policies and train employees on new procedures.
What is a breach?
A breach occurs when 1) there has been “unauthorized” access, use or disclosure of PHI, which violates the HIPAA Privacy Rule and 2) the disclosure “compromises the security or privacy” of the PHI, which means that it “poses a significant risk of financial, reputational or other harm to the individual.”
Let’s say, for example, your company sponsors a group health insurance plan and a laptop containing enrollment information constituting PHI is lost or stolen. You most likely would be required to notify the affected individuals. Or perhaps you operate a HIPAA-covered medical practice and a staff member impermissibly downloads patients’ PHI to his personal computer. Again, you would need to notify the affected patients.
The effective date of the new HIPAA Breach Notification Rules is today, September 23, 2009. However, HHS has stated it will not impose penalties until February 22, 2010.