HIPAA Changes in the HITECH Act of 2009: Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities

House bill Sec. 4407
Senate bill Sec. 13407
Conference agreement Sec. 13407

This text is from the Conference Committee Report

Current Law

There is no Federal law that requires entities to notify
individual when their health information has been breached.

House Bill

The House bill would require personal health record (PHR)
vendors and entities offering products and services through a
PHR vendor's website, upon discovery of a breach of security
of unsecured PHR health information, to notify the
individuals impacted and the FTC. Further, third party
service providers that provide services to PHR vendors and to
other entities offering products and services through a PHR
vendor's website and, as a result, that handle unsecured PHR
health information would, following the discovery of a breach
of security of such information, be required to notify the
vendor or other entity. The requirements in Section 4402 for
the content and timeliness of notifications also would apply
to this section. Unsecured PHR health information means PHR
health information that is not protected through the use of a
technology or methodology specified by the Secretary in
guidance issued pursuant to Section 4402.

The FTC would be required to notify HHS of any breach
notices it received and would given enforcement authority
regarding such breaches of unsecured PHR health information.
Within 180 days, the Secretary would be required to issue
interim final regulations to implement this section. The
provisions in the section would apply to breaches discovered
no sooner than 30 days after the regulations are published.
The provisions in this section would no longer apply to
breaches occurring after HHS or FTC had adopted new privacy
and security standards for non-HIPAA covered entities,
including requirements relating to breach notification.

Senate Bill

The Senate bill includes the same provisions.

Conference Agreement

The conference agreement is the same as the House and
Senate language with minor clarifications. The conference
agreement requires the FTC issue regulations as opposed to
the Secretary of HHS. The conference agreement applies the
breach notification provision to entities that access and
receive health information to and from a personal health
record.

 

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.