Apr 21 2009

HHS Releases Guidance for Securing Health Information and Preventing Harm from Breaches

The U.S. Department of Health and Human Services (HHS) published guidance regarding technologies and methodologies to secure health information and prevent harm by rendering health information unusable, unreadable, or indecipherable to unauthorized individuals. The American Recovery and Reinvestment Act required publication of the guidance by April 18. This builds on the existing requirements of the HIPAA Privacy and Security Rules, which are unchanged.

The guidance issued provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to “breach notification” regulations, which will be issued by HHS and the Federal Trade Commission (FTC) respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.

The guidance must be updated annually but HHS may update and reissue it this year, after public comment is considered and at the same time HHS’ breach notification regulation is published.