Celebrating 70 Years

Making the World a Better Place to Work

STAY CONNECTED

Podcasts Webcasts RSS Feeds LinkedIn
 

Contact Us

View complete contact info
 
 
HHS and FTC Release Final Breach Notification Rules Under HITECH Act

2009-08-21
The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) have released final rules on health information breach notification requirements for covered entities under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was included in the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5).

The FTC released a final rule on August 17, 2009 concerning breach notification requirements for personal health record (PHR) vendors and related entities. HHS issued an interim final rule on August 19 for HIPAA-covered entities (health plans and health care providers) and their business associates. In its interim final rule, HHS also updated its April 2009 guidance on the methodologies and technologies to render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals.

In response to comments received (for example, ensuring that a regulated entity knows what rule would apply to them, and addressing the situation where an entity may be subject to both rules), the FTC and HHS worked together to harmonize and address these comments in their respective breach notification rules.

Applicability

The FTC's final rule applies to PHR vendors, PHR-related entities, and third-party service providers to such entities, with respect to a breach of security of unsecured PHR identifiable health information. HHS's interim final rule applies to HIPAA-covered entities and their business associates with respect to breaches of unsecured PHI.

Provisions of the FTC and HHS Final Rules

Timing of Notification to Affected Individuals

  • HHS: HIPAA-covered entities must provide written notification to affected individuals without unreasonable delay and no later than 60 calendar days following the discovery of the breach of unsecured PHI. Business associates of HIPAA-covered entities that discover a breach of unsecured PHI are required to notify the covered entity without unreasonable delay and no later than 60 calendar days following discovery of the breach, so that the covered entity can provide notification to affected individuals.
  • FTC: PHR vendors and PHR-related entities that discover a breach of unsecured PHR identifiable health information must provide written notification to affected individuals without unreasonable delay and no later than 60 calendar days following the discovery of the breach of security. Third-party service providers to PHR vendors and PHR-related entities are required to notify the entity upon discovery of a breach, and the PHR vendor or PHR-related entity is required to provide notice to individuals.

Form and Content of Notice

The rules outline requirements regarding forms of notice to individuals (including further clarification for notification methods if individuals cannot be reached) and the content of the notice.

Notification to the Media

  • HHS: A covered entity must notify the prominent media outlets serving a state or jurisdiction for breaches of unsecured PHI involving more than 500 residents of such state or jurisdiction.
  • FTC: A PHR vendor or PHR-related entity must notify the prominent media outlets serving a state or jurisdiction for breaches of security involving 500 or more residents of such state or jurisdiction.

Notification to HHS or FTC

  • HHS: For breaches of unsecured PHI involving 500 or more individuals, HIPAA-covered entities must notify the HHS Secretary concurrently with the notification to the individual--without unreasonable delay but in no case later than 60 calendar days following discovery of a breach. In addition, the HHS Secretary must post on the HHS Web site a list of covered entities that submit reports of breaches of unsecured PHI involving more than 500 individuals. For breaches of unsecured PHI involving fewer than 500 individuals, a HIPAA-covered entity must submit information to HHS annually, no later than 60 days after the end of the calendar year.
  • FTC: PHR vendors and PHR-related entities are required to notify the FTC within ten business days of breaches involving 500 or more individuals and annually of all breaches involving fewer than 500 individuals.

Effective Dates

The FTC and HHS rules are effective 30 days after they are published in the Federal Register.

The Background to the FTC final rule provides that the FTC "...will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered before 180 days after the rule is published in the Federal Register." The description of the Effective/Compliance Date in HHS' interim final rule provides that the interim final rules "...are effective, and compliance is required, for breaches occurring on or after 30 calendar days from publication of this rule. However, ...we will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from publication of this rule."

HHS is seeking comments on the provisions of its interim final rule, which are due on or before 60 days after the rule is published in the Federal Register.

Additional Resources

The HHS news release.

The FTC news release.

The FTC Web page for entities that need to provide notification of a breach.

Hewitt will continue to monitor the impact of these regulations on employers. For additional information, please contact your Hewitt Consultant.

BACK
Legislative Updates
Search Legislative Updates
View all Legislative Updates
email this page
printer-friendly version
 

Recently Viewed

IRS Delays FBAR Reporting by Employee Benefit Plans Navigating the Storm: The Future of Pension Plan Risk & Investment Management IRS Clarifies Rollovers From Qualified Retirement Plans to Roth IRAs One for All — Maximizing Sales Force Effectiveness After a Merger Hewitt Comments on Expedited Review of COBRA Premium Subsidy Denials