On August 24, 2009, the Department of Health and Human Services ("HHS") issued its interim final rule with regard to breach notification requirements for unsecured protected health information. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, HHS was required to issue interim final regulations regarding notification provisions in the event of a breach of unsecured protected health information. Generally, the HITECH Act requires HIPAA covered entities (i.e. health plans, health care providers who transmit certain transactions electronically and health care clearinghouses) to provide notification to affected individuals upon the discovery of a breach of unsecured protected health information. A notice is also required to be sent to a major media outlet if more than 500 individuals within a state or jurisdiction are impacted by the breach. Additionally, covered entities are required to notify HHS in the event of a breach of unsecured protected health information impacting 500 or more individuals.
Please see full publication below for more information.