New rules governing consumer notification when the security of their health information is breached go into effect this week. But federal agencies won't enforce the rules for several more months. Both rules were mandated under the American Recovery and Reinvestment Act. A final rule from the Federal Trade Commission, published Aug. 25 and effective Sept. 24, requires vendors of personal health records--and entities that offer third-party PHRs--to notify consumers of data breaches. In the rule, the FTC noted the quick deadlines that were statutorily mandated and imposed a grace period on enforcement. "Therefore, the Commission will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered before Feb. 22, 2010," according to the rule. "During this initial time period--after this rule has taken effect but before an entity is subject to an enforcement action--the Commission expects regulated entities to come into full compliance with the final rule." A separate rule for HIPAA-covered entities, the HHS interim final rule, was published on Aug. 24 with a Sept. 23 effective date. The rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches. The HHS rule also includes updated guidance on how to determine when information is "unsecured" and notification is required. If breached data is unusable, unreadable or indecipherable to unauthorized individuals because of certain encryption or destruction measures taken, notification of the breach is not required. Because of industry concerns with the quick deadlines and ambiguities in the law, HHS in the rule granted an enforcement grace period. "We will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or Feb. 22, 2010," the HHS interim final rule states. "During this initial time period--after this rule has taken effect but before we are imposing sanctions--we expect covered entities to comply with this subpart and will work with covered entities, through technical assistance and voluntary corrective action, to achieve compliance." Both rules are available in the Federal Register at gpoaccess.gov/fr/index.html. Under "Browse the Table of Contents from back issues," click "Go" and select the Aug. 24 and Aug. 25 issues. This article can also be found at HealthDataManagement.com.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access