HHS Puts More Teeth Into HIPAA Regulations

HHS released an interim final rule on breach notification and the acceptable methods for covered entities (CEs) and business associates (BAs) to encrypt and destroy patient records in order to prevent breaches of protected health information (PHI).

The American Recovery and Reinvestment Act (ARRA) of 2009 required HHS to issue the final guidance, six months after President Barack Obama signed into law Title XIII of the ARRA — the Health Information Technology for Clinical and Economic Health (HITECH) Act.

The breach notification regulations take effect September 23.

However, covered entities need not worry about HHS enforcement until February 22, 2010.

HHS says in the Federal Register it will "use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or February 22, 2010."

The regulations include the following:

• Notice to patients alerting them to breaches “without reasonable delay” within 60 days
• Notice to CEs by BAs when BAs discover a breach
• Notice to “prominent media outlets” about breaches of more than 500 patient records
• Notice to “next of kin” about breaches of patients who are deceased
• Notice to the secretary of HHS about breaches of 500 or more patient records without reasonable delay
• Annual notice to the secretary of HHS of breaches of fewer than 500 patient records when their PHI is unsecure (which poses a significant financial risk or other harm to the individual)

The Federal Trade Commission (FTC) also issued its final rule requiring some Internet-based businesses to notify consumers when there is a breach of consumer PHI, according to an FTC press release issued Monday.