Shop | About Us | Contact Us | My Account | Guest Login

American Speech-Language-Hearing Association

Making effective communication, a human right, accessible and achievable for all.

Home > Advocacy > 2009 Legislative News >

HIPAA Security Breach Notification Requirements Released

(09/01/2009)

The Department of Health and Human Services (HHS) released the interim final rule governing Health Insurance Portability and Accountability Act (HIPAA) security breach notification [PDF]. The rule contains regulations that set forth a covered entity's (CE) requirements if there is a breach of unsecured protected health information (PHI). CEs must comply with these requirements starting September 23, 2009. An example of a breach would include the theft of a laptop containing unsecured patient information.

Under the regulations, a CE must provide notice to affected individuals following the discovery of a breach of unsecured PHI. A "breach" means the acquisition, access, use or disclosure of PHI which is impermissible under the HIPAA privacy rule and which compromises the security or privacy of PHI. "Compromises the security or privacy of PHI" means that it poses a significant risk of financial, reputational, or other harm to the individual. "Unsecured PHI" is defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through use of a technology or methodology specified in guidance by the Secretary of HHS. The Secretary released guidance in the spring, specifying that encryption and destruction render PHI unusable, unreadable, or indecipherable to unauthorized individuals.

If a CE discovers a breach, it must provide written notice to the individual without "unreasonable delay" and in no case later than 60 days after the discovery of the breach. A business associate must follow the same timeline to notify the CE when it discovers a breach. The CE will need to notify the media and the Secretary of HHS if a breach involves more than 500 individuals. If a breach involves less than 500 individuals, the CE must keep a log of breaches and submit it to Secretary annually.

Recognizing that some entities may need more time to comply, HHS states that it will not impose sanctions for failure to provide the required notifications for breaches that are discovered up to 6 months after publication of the rule, or approximately February 22, 2010. HHS plans to work with CEs to achieve compliance.

For further information, please contact Kate Romanow, ASHA's Director of Health Care Regulatory Advocacy, at kromanow@asha.org or 800-498-2071, ext. 5671.

Print This Page