By August 16, 2009, the Federal Trade Commission (FTC) and the U.S. Department of Heath and Human Serivces (DHHS) are expected to issue interim final rules that establish new federal notification requirements for security breaches involving protected health information and personal health records. Although many states currently have security breach notification laws, these new regulations will establish a federal standard for the health care industry, and they will cover certain entities who are not currently subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Sharon Klein and Rebekah Monson of Pepper Hamilton have detailed the upcoming requirements in an article published in the June 2009 issue of the Privacy & Data Security Law Journal. As they explain in the article, so far:
- the new requirements arise from the Health Information Technology for Economic and Clinical Health (HITECH) Act of February 2009;
- in April 2009, the DHHS issued guidance that describes the HITECH Act’s breach notification requirements for HIPAA-covered entities and their business associates, as well as notification requirements under proposed FTC regulations for vendors of personal health records and other non-HIPAA covered entities;
- also in April 2009, the FTC proposed regulations covering breach notification requirements for personal health record vendors who are not covered by HIPAA.
The full article, with more details about the proposed FTC rules and DHHS guidance, is available here.