HHS & FTC Release Guidance On HITECH Act Data Breach Rules for Personal Health Records

September 01 , 2009 in Industry News

On April 17, 2009, the Department of Health & Human Services (“HHS”) released its initial guidance (the “HHS Guidance”) to health care providers, health plans and health care clearinghouses and their business associates (“HIPAA Covered Entities”) about when the new data breach notification rules (“UPHI Breach Notice Rules”) added to federal law under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) will require the HIPAA Covered Entity to provide notification of breach of the security of “unsecured protected health information” (“Unsecured PHI”).

Concurrently, the Federal Trade Commission (“FTC”) released proposed regulations (the “FTC Rules”) to implement new health information data breach and other health information privacy and security mandates included in the HITECH Act for non-HIPAA Covered Entities providing or accessing personal health records and certain other consumer health information (“PHR”).

The HHS Guidance and FTC Rules are required as part of the agencies responsibilities for implementing various amendments to the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) privacy and data security requirements and other federal health care technology reforms enacted under the HITECH Act when President Obama signed the American Recovery and Reinvestment Act of 2009 (“ARRA”) into law on February 17, 2009.
The HHS Guidance and FTC Guidance respectively relate to two new separate breach notification regulations:

•The HHS Guidance sets forth guidance concerning new rules applicable to HIPAA Covered Entities under Section 13402 of the HITECH Act (the “UPHI Breach Notice Rules”);

•The FTC Rule proposes new rules to apply to vendors of personal health records and other non-HIPAA covered entities dealing with “personal health records” (“PHRs”) within the meaning of the HITECH Act (the “PHR Breach Notice Rules”).

Entities covered by either of these rules will be required to provide certain specified notifications when and if a breach of this data occurs unless they comply with the applicable HHS or FTC Guidance (whichever is applicable) for safeguarding the data.