HIPAA Changes in the HITECH Act of 2009: Notification in the Case of Breach


House bill Sec. 4402
Senate bill Sec. 13402
Conference agreement Sec. 13402

This text is from the Conference Committee Report

Current Law

The Privacy and Security Rules promulgated pursuant to
HIPAA does not require covered entities, providers, health
plans or healthcare clearinghouses, to notify HHS or
individuals of a breach of the privacy, security, or
integrity of their protected health information.

House Bill

In the event of a breach of unsecured PHI that is
discovered by a covered entity, the House bill would require
the covered entity to notify each individual whose
information has been, or is reasonably believed to have been,
accessed, acquired, or disclosed as a result of such breach.
Exceptions to the breach notification requirement are for
unintentional acquisition, access, use or disclosure of
protected health information. For a breach of unsecured PHI
under the control of a business associate, the business
associate upon discovery of the breach would be required to
notify the covered entity. Notice of the breach would have to
be provided to the Secretary and prominent media outlets
serving a particular area if more than 500 individuals in
that area were impacted. If the breach impacted fewer than
500 individuals, the covered entity involved would have to
maintain a log of such breaches and annually submit it to the
Secretary.

The House bill would define unsecured PHI as information
that is not secured through the use of a technology or
methodology identified by the Secretary as rendering the
information unusable, unreadable, and undecipherable to
unauthorized individuals.

The House bill would require the Secretary each year to
report to appropriate committees in Congress on the number
and type of breaches, actions taken in response, and
recommendations made by the National Coordinator on how to
reduce the number of breaches. Within 180 days of enactment,
the Secretary would be required to issue interim final
regulations to implement this section. The provisions in the
section would apply to breaches discovered at least 30 days
after the regulations were published.

Senate Bill

Same provision, but without any reference to recommended
encryption standards in issuing annual guidance on securing
PHI.

Conference Agreement

Similar provision to the House bill with one difference;
notifications in cases of unintentional disclosures would be
required unless such disclosure is to an individual
authorized to access health information at the same facility.

 

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.