HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors
.gif){kind=logo}
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA.
According to the HHS press release:
The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
You can find the text of the regulation here.
Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.
Also, pursuant to Section 13403(a) of the HITECH Act, the HHS Secretary Kathleen Sebelius designated an individual in each regional office of HHS (Regional Office Privacy Advisors) in order "to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules." The names, addresses, and contact information for each of the Regional Managers are listed here, together with a list of the States for which each Regional Manager has responsibility.
"HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information," HHS Press Release (August 19, 2009).
" Designation of Regional Office Privacy Advisors," HHS Press Release (July 27, 2009).
