The breach notification rule issued by the Department of Health and Human Services (“HHS”) goes into effect on Wednesday, September 23, 2009.
HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Covered entities do not need to provide breach notification if the PHI was secured through methodologies and technologies specified by HHS in recent Guidance. Notice also is not required if the breach does not pose a significant risk of financial, reputational or other harm to the individuals whose information was breached or in limited other exceptions for internal disclosures or involving limited health information.
While HIPAA covered entities are expected to comply with this rule effective September 23, HHS has stated that it will not impose sanctions for failure to provide breach notifications until February 22, 2010 in order to give covered entities time to come into compliance. HHS is accepting comments on the provisions of the rule until October 23, 2009.