On August 19, 2009, the U.S. Department of Health and Human Services (“HHS”) issued new interim final regulations which will require health care providers, health plans, and other entities covered by HIPAA to notify individuals when their health information is breached.  These breach notification regulations implement provisions of Health Information Technology for Economic and Clinical Health Act (“HITECH”), part of the American Recovery and Reinvestment Act (“ARRA”) of 2009 signed into law earlier this year. 

The regulations require HIPAA covered entities to promptly inform affected individuals of certain types of breaches.  Covered entities are also required to notify the HHS Secretary and the media in cases where a breach was widespread and affected more than five hundred individuals.  Breaches affecting less than five hundred individuals must be reported on an annual basis to the HHS Secretary but do not require media notification.  These regulations also require business associates of covered entities to notify the covered entities of breaches.

In a press release, an HHS representative is quoted as saying, “[t]his new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care.  These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”

Both covered entities and business associates under HIPAA will quickly need to update business associate agreements to comply with the requirements under these new regulations, as well as develop and/or update policies and procedures relating to breaches and notifications. These new regulations are effective 30 days after publication in the Federal Register (expected within the next week) and include a 60-day public comment period.

Please contact any member of Taft’s Health and Life Sciences Practice Group with questions relating to HITECH and these new regulations.