Benefits

New Regulations Cover Health Care Information Data Breaches

By Staff Report

Aug. 25, 2009


The U.S. Department of Health and Human Services has issued regulations requiring providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act to notify individuals when their health information is breached.


The regulations issued Wednesday, August 19, implement provisions of the Health Information Technology for Economic and Clinical Health Act, which passed as part of the American Recovery and Reinvestment Act of 2009, which President Barack Obama signed into law in February.


The regulations require health care providers and other HIPAA-covered entities to promptly notify affected individuals, the HHS secretary and the media when the breach affects more than 500 individuals.


Breaches affecting fewer than 500 individuals must be reported to the HHS secretary annually. Business associates of covered entities also are required to notify the covered entity of breaches at or by the business associate, according to the HHS.


The new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care,” Robinsue Frohboese, acting director and principal deputy director of the HHS Office for Civil Rights, which developed the regulations, said in a statement. “These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”


Alison Schaap, a Chicago-based legal consultant with Hewitt Associates, said employers are “going to have to look at their existing polices, what needs to change in terms of how they provide the required notification to individuals, and what updates they need to make” to their business associate agreements “so they can get the necessary information within the required time frame to provide notification to individuals in the event of a breach of unsecured protected health information.”


America’s Health Insurance Plans, the Washington-based health insurer trade group, applauded the regulations.


“We are pleased that the new regulations give practical guidance plans and outline reasonable standards for assessing if a data breach has occurred,” AHIP said in a statement.



Filed by Judy Greenwald of Business Insurance, a sister publication of Workforce Management. To comment, e-mail editors@workforce.com.


Stay informed and connected. Get human resources news and HR features via Workforce Management’s Twitter feed or RSS feeds for mobile devices and news readers.

About Workforce.com

blog workforce

We build robust scheduling & attendance software for businesses with 500+ frontline workers. With custom BI reporting and demand-driven scheduling, we help our customers reduce labor spend and increase profitability across their business. It's as simple as that.

Book a call
See the software

Related Articles

workforce blog

Benefits

EEOC says that employers legally can offer incentives to employees to get vaccinated in almost all instances

If you’re an employer looking to get as many of your employees vaccinated as possible, you can rest eas...

ADA, CDC, COVID-19, EEOC, GINA, pandemic, vaccinated

workforce blog

Benefits

Fixing some common misconceptions about HIPAA

Ever since the CDC amended its COVID-19 guidance to say that the fully vaccinated no longer need to wea...

COVID-19, health care, HIPAA, human resources, wellness

workforce blog

Benefits

We are in the midst of a public mental health crisis; how employers can help

Do not ignore these issues or your employees who are living with them. Mental health illnesses are no d...

ADA, benefits, Coronavirus, FMLA, mental health, paid time off