HHS Announces HITECH Act Breach Notification Guidance

HHS Announces HITECH Act Breach Notification Guidance

WASHINGTON – On Friday, April 17, 2009, The U.S. Department of Health and Human Services (HHS) issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).  This guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare and Medicaid Services (CMS).
 This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH).  HITECH requires these regulations to be published within 180 days of enactment.  If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.   
 In addition to this guidance, HHS has also concurrently issued a request for information (RFI) soliciting public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance.  The guidance and RFI is available at www.hhs.gov/ocr/privacy.  Once published in the Federal Register, the guidance and RFI will also be available for public comment at www.regulations.gov.