On Thursday, August 20th, 2009, the U.S. Department of Health and Human Services (HHS) issued the Interim Final Rule on Breach Notification.
An important part the interim final rule is the decision that encryption is the only acceptable technology to make protected health information (essentially, patient records) “unusable, unreadable, or indecipherable to unauthorized individuals”. The preamble to the rule explains that even though other methods (such as access control) can continue to be used, if a breach occurs and the protected health information is disclosed to unauthorized individuals a breach notification is required.
Breach notifications are essentially categorized as “under 500″ and “over 500″ records. If a breach occurred to under 500 records then covered entities must maintain a log of the breach and notify the patients. If a breach over 500 records has occurred then not only patients need to be notified but also major media outlet and HHS. In addition, a hotline must be established so that people can call and obtain more information about the breach (notification procedures are specified in the HITECH Act, Section 13402). HHS can issue fines and attorneys general of each state are empowered to pursue these types of breaches on a criminal level.
The government is clearly serious about patient record privacy to encourage covered entities to move paper records to electronic records as part of its overall healthcare reform efforts.
Tags: 13402, ARRA, breach notification
