Home

HHS releases guidance for securing health information, preventing harm from breaches 

The U.S. Department of Health and Human Services (HHS) has published guidance regarding technologies and methodologies to secure health information and prevent harm by rendering health information unusable, unreadable, or indecipherable to unauthorized individuals. The American Recovery and Reinvestment Act of 2009 (P.L. 111-5) required publication of the guidance by April 18. This builds on the existing requirements of the HIPAA Privacy and Security Rules, which are unchanged.

"Protecting patient privacy is a top priority and this guidance specifies proactive steps organizations can take to limit the potential harm a breach can cause," said HHS Spokesman Nick Papas.

The guidance provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to "breach notification" regulations, which will be issued by HHS and the Federal Trade Commission respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.

The guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare & Medicaid Services (CMS). The guidance can be read at: www.hhs.gov/ocr/privacy.

The guidance must be updated annually but HHS may update and reissue it this year, after public comment is considered and at the same time HHS's breach notification regulation is published.

Reprinted with permission. © CCH
(Submitted April 2009)
Rate this content:
 
The information contained in this document is for general, informational purposes only and is not intended to be legal advice. This information is not a substitute for the guidance of a professional and should not be relied upon in reference to any specific situation without first seeking the advice of a qualified HR professional and/or legal counsel regarding applicable federal, state or local laws. HRTools, Administaff and their respective employees make no warranties, express or implied, and make no judgments regarding the accuracy of this content and/or its applicability to a specific situation. A reference or link to another website is not an endorsement of that site or service.
Related Articles
Related Resources