Expanded data breach rules to take effect

Expanded health data breach notification rules are set to take effect this week.

The rules, which were required under the stimulus bill, apply to HIPAA-covered entities and their business associates, requiring them to provide notification in the case of breaches of unsecured protected health information.
Read more

Under the rule (here’s HHS’ interim final rule), health care providers must now alert patients to data security breaches, and imposes penalties for such breaches. If the breach involves more than 500 individuals, the provider must report it to HHS and the media.

The rule is also broader than previous regulations because it also applies to business associates of the providers. (If it involves encrypted data, the providers don’t need to notify customers.)

Business associates, which includes any entity that provides services, such as consultants, third-party administrators or managers, claims processors, attorneys, accountants and software providers, must ensure that any electronic health information that is created, maintained, and transmitted for the covered entity are protected, according to an American Medical News story. They must report any breaches to the provider.

Your business associates need written policies and safeguards to protect the information. We provide a sample form for a business associates agreement, but we are working to update it to reflect the changes and welcome any input.