HHS Issues Breach Notification Rules

The administration on Wednesday announced safeguards intended to protect consumers from health information technology breaches, as the White House tries to move healthcare reform forward.

Health IT has been a focal point of the stimulus package and the president's larger healthcare plan -- a plan that is under attack by the press and the public.

The Health and Human Services Department issued new rules, mandated by the Recovery Act, that require providers and insurers to notify patients when their health information is breached. They also must alert the media and HHS secretary when a breach affects more than 500 people.

The Federal Trade Commission had a hand in the regulations and has issued its own notification guidelines for businesses that fall outside of HHS' jurisdiction, such as health IT vendors. HHS' notification rules only apply to healthcare groups covered by the 1996 Health Insurance Portability and Accountability Act.

"These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information," said Robinsue Frohboese, HHS acting director and principal deputy director of the HHS office for civil rights, in a press release.

The new HHS rules include an update to guidance on techniques for encrypting and destroying health information that render the content unreadable to unauthorized users. Industries that follow such procedures do not have to notify when information is breached.