Open menu


Print PDF
Subscribe to Publications


New HIPAA Rule for Group Health Plans and Health Care Providers

Requires Notification of Breach of Unsecured Protected Health Information

September 16, 2009

The first of many amendments to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH) takes effect on September 23, 2009.  Until now, HIPAA did not require covered entities to notify individuals of breaches of their protected health information, unless the individuals specifically requested an accounting of unauthorized disclosures.  Subject to certain exceptions, covered entities such as health plans and health care providers must now give notice to affected individuals of a breach of unsecured protected health information.   In some cases, the required notice will include alerting the news media as well as individual mailings.

As might be expected with anything HIPAA-related, the rules are complicated:

The required notice will vary depending on the scope of the breach.  In all cases, notice must be given "without unreasonable delay" and in no case later than 60 days after discovery of the breach.  Discovery is presumed if any employee (other than the person who committee the breach) knows or should know that the breach occurred.  The notice must be written in plain language and must disclose:

In all cases, the covered entity must notify affected individuals in writing by U.S. mail or e-mail.  If the breach affects more than 500 residents in a particular state or jurisdiction, however, the covered entity must also notify prominent media outlets.  The covered entity must report breaches to HHS on an annual basis, but in the case of a breach affecting more than 500 individuals (regardless of location), the covered entity must notify HHS at the same time that it notifies the affected individuals.  A HIPAA business associate that discovers a breach of unsecured PHI is required to give notice to the covered entity so that the covered entity may give the required notice to affected individuals.

The breach notification rule is just one of many changes made by HITECH.  Other amendments, slated to go into effect starting in February 2010: