New Regulations Require Disclosure of Data Breaches
HIPAA-covered entities need to be aware of new regulations issued this week that require public disclosure of data breaches. The U.S. Department of Health and Human Services has issued new regulations that require providers, health plans, and other HIPAA-covered entities to notify individuals when their health information is breached.
Data breaches involving protected health information must be reported to the Department of Health and Human Services. Breaches affecting less than 500 individuals can be reported to the HHS secretary on an annual basis. However, breaches that affect more than 500 individuals must be promptly disclosed to the affected individuals, the HHS secretary, and the media.
Principal Deputy Director of the HHS Office Robinsue Frohboese has said that “The new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”
These regulations were issued pursuant to provisions of the Health Information Technology and Economic and Clinical Health Act, which was signed into law in February 2009 by President Obama.
