The Department of Health and Human Services on Friday issued guidance for breach notifications as required by Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The guidance specifies the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. According to the announcement,
This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.
The HHS also issued a request for information (RFI), asking for public comment of the breach notification provisions. Once published, comments may be submitted through www.regulations.gov.
Comments