HIPAA-covered healthcare providers must notify individuals of information breaches under new rule
New bill would exempt small healthcare providers from 'red flags' rule
The Department of Health and Human Services has released an interim rule regarding healthcare information privacy breaches.
Under the rule, healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must notify individuals when the privacy of their "unsecured" health information is breached. The guidelines, which are published in today's Federal Register, implement provisions of the Information Technology for Economic and Clinical Health Act. The notifications encompass breaches that occur on or after Sept. 24.
Because covered entities may require time to comply with the guidelines, HHS will use its "enforcement discretion" and not immediately impose sanctions on those that fail to inform people of breaches. But HHS plans to work with those entities over the next six months to achieve compliance.
To find out more, go to the Federal Register home page here.