Final Regulations on HITECH Security Breach Notification for HIPAA Protected Health Information
August 28, 2009
The Department of Health and Human Services has issued interim final regulations on the Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirement for protected health information under the Health Insurance Portability and Accountability Act (HIPAA) that was enacted as part of the American Recovery and Reinvestment Act of 2009 ("the stimulus law"). A Bulletin discussing this information is now available:
http://www.sibson.com/publications-and-resources/bulletins/?id=1310
The stimulus law's changes to the HIPAA privacy and security rules present several issues for plan sponsors in complying with the new breach notification requirements, which take effect September 23, 2009:
- Deciding whether to implement new safeguards in response to the breach notification requirements,
- Assessing the plan's readiness to take advantage of the HHS safe harbor encryption and destruction standards,
- Updating HIPAA privacy policies and procedures, as required by the new rules,
- Training HR or fund office staff about breach notification and their new policies and procedures, and
In addition, plan sponsors must decide what technology improvements are necessary for their business operations, determine whether to adopt "safe harbor" encryption rules, and revise security policies and procedures.