HHS issues rule on patient privacy breaches
Hospitals, doctors and other health care organizations covered under HIPAA are covered by the new rule. Posted in the Federal Register August 24, the rule takes effect on Sept. 23.
The regulation, developed by the HHS Office for Civil Rights, requires health care providers and other HIPAA-covered entities to notify affected individuals of a breach without unreasonable delay but in no case later than 60 calendar days from when the breach was discovered. HHS must be notified annually of breaches, and if a breach affects more than 500 individuals, HHS must be notified within 60 days. If the breach involves 500 or more individuals in the same state, prominent local media outlets serving that state must be notified.
In the 30-page ruling, HHS offers guidance on what unsecured protected health information means and identifies technologies and methodologies that would secure personal health information sufficiently to obviate the need to notify patients of a data breach. The requirements provide detailed information about which incidents will require dentists to provide notification of a breach and how to report it.
The ADA is reviewing the rule and will be posting resources at www.ada.org/goto/HIPAA as soon as the review is completed. The resources will assist dentists in walking through steps required to comply if a breach occurs and will include question-and-answer formatted resources for the dentist and dental office staff. The Q-and-A series will help dentists determine applicability of the new breach notification rules in a number of likely scenarios. It will also assist members and their employees who have questions about their current security needs, including encryption. Finally, there will be a discussion of proper media and records disposal.
The rule is part of increased privacy and security protections under the American Recovery and Reinvestment Act of 2009. It's related to regulations also released by the Federal Trade Commission covering breaches involving vendors of personal health-record systems and other associated businesses not covered by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
Signed into law in February, the ARRA incorporates the Health Information Technology for Economic and Clinical Health Act, which seeks to develop a nationwide health information technology infrastructure for electronic dissemination of health records. HITECH expands on HIPAA's privacy and security protections for individuals' health information.
The regulations will also require business associates of covered entities to notify the covered entity of breaches that the business associate discovers so that the covered entity can provide the required notification. Employees are not business associates, nor are most referral or group practice relationships, as long as the information shared is related to the treatment of a referred or group practice patient. Examples of a dentist's typical business associates include (but are not limited to) claims processing, billing and practice management companies, information system vendors, electronic clearinghouses, lawyers, accountants and technical support companies.
To read the interim final rule visit www.hhs.gov/ocr. Click on the HHS press release, HITECH Breach Notification Interim Final Rule at the right of the page. The link to the Aug. 24 Federal Register posting is included at the bottom of the page.Comments on the interim final rule, identified as RIN 0991-AB56, may be submitted on or before Oct. 23 at www.regulations.gov or sent to U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HITECH Breach Notification, Hubert H. Humphrey Building, Room 509F, 200 Independence Ave., SW, Washington, D.C., 20201. Submit one original and two copies.