Health data breach notification rules published

The Department of Health and Human Services has published an interim final rule in the Federal Register formalizing requirements contained in the HITECH portion of the American Recovery and Reinvestment Act that that organizations provide breach notification for unsecured protected health information. This rule is another step in what appears to be the expansion of health IT security and privacy regulations to organizations and business entities beyond those explicitly named as covered entities in the Health Insurance Portability and Accountability Act (HIPAA). In parallel with HHS’ action, the Federal Trade Commission also published a final breach notification rule for electronic health information that applies to online vendors providing personal health records and related information. In general, personal health record providers such as Google, Microsoft, and myPHR are not covered by HIPAA requirements in the privacy and security rules, but under a clause in HITECH, are to be treated very similarly to covered entities at least in terms of requirements to disclose data breaches. Entities falling under both the HHS and FTC rules have one primary means to have the breach notification requirements waived — they can encrypt or otherwise render their data unusable, as implied by the emphasis on “unsecured” health information in both the HHS and FTC rules. HHS first issued guidance in April on technologies and methods organizations can use to secure their data and therefore become exempt from the breach disclosure rules.