Breach Notification for Unsecured Protected Health Information

Published by HHS in Federal Register on 08/24/09


45 CFR Parts 160 and 164

RIN 0991–AB56

Human Services (HHS) is issuing this interim final rule with a request for comments to require notification of breaches of unsecured protected health information. Section 13402 of the Health Information Technology fo rEconomic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009, requires HHS to issue interim final regulations within 180 days to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide notification in the case of breaches of unsecured protected health information.For purposes of determining what information is ‘‘unsecured protected health information,’’ in this document HHS is also issuing an update to its guidance specifying the technologiesand methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

Effective Date: This interim final rule is effective September 23, 2009.

Download PDF HERE (PDF format, 32 pg, 218 KB)


Comments are closed.