The HITECH Act (The Health Information Technology for Economic and Clinical Health Act), enacted February 17, 2009, significantly supplemented and altered the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). One such provision of the HITECH Act made both covered entities and their business associates liable for breaches of patients' unsecured protected health information ("PHI").
On August 24, 2009, a Final Rule was published in the Federal Register, which clarified covered entities' and business associates' liabilities for breaches of patients' unsecured PHI. This Final Rule is effective September 23, 2009.
In summary, the Final Rule clarifies that when a breach occurs,
- A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach;
- A covered entity must notify the media in the event of a breach of unsecured PHI involving more than 500 residents of a State or jurisdiction;
- A covered entity must notify HHS in the event of a breach of unsecured PHI involving 500 or more individuals.
- A business associate must notify the covered entity of any breach of unsecured PHI.
The Final Rule also provides guidance regarding what constitutes "unsecured" PHI, updating previous guidance on this issue.