HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HHS finalizes breach notification guidelines, defines unsecure PHI

Email This Post Print This Post

HHS released final guidance on breach notification and the acceptable conditions for covered entities and business associates to encrypt and destroy patient records in order to prevent breaches of protected health information (PHI).

The American Recovery and Reinvestment Act of 2009 (ARRA) required the final guidance – released by HHS yesterday in this report – six months after President Barack Obama signed into law Title XIII of the ARRA, the Health Information Technology for Clinical and Economic Health (HITECH) Act.

The breach notification regulations take effect 30 days from the date the interim final rule is published in the Federal Register; it was published Monday, August 24, but the rule takes effect Wednesday, September 23.

However, covered entities need not worry about HHS enforcement until February 22, 2010.

HHS says in the Federal Register it will “use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or February 22, 2010.”

The breach notification provisions include:

  • Notice to patients of breaches “without reasonable delay” within 60 days
  • Notice to covered entities by business associates (BAs) when BAs discover a breach
  • Notice to “prominent media outlets” on breaches of more than 500 individuals
  • Notice to “next of kin” on breaches of patients who are deceased
  • Notice to the Secretary of HHS of breaches of 500 or more without reasonable delay
  • Annual notice to the Secretary of HHS of breaches of less than 500 of “unsecured PHI” that pose a significant financial risk or other harm to the individual, such as reputation.

The Federal Trade Commission also issued its final rule in the Federal Register that requires some Internet-based businesses to notify consumers when they’ve had a breach of their PHI, according to an FTC press release issued Monday, August 17.

The FTC rule applies only to both vendors of personal health records – which “provide online repositories that people can use to keep track of their health information” – and entities that offer third-party applications for personal health records, according to the release.

“This is just another example of trying to put some more teeth into the HIPAA regulations,” says Chris Simons, RHIA, director of UM & HIMS and the privacy officer at Spring Harbor Hospital in Westbrook, ME. “Covered entities should already have been notifying patients of any breaches – it is an industry best practice.”

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, says it’s important to note the HHS interim final rule states that, in general, accidental disclosures within the same organization do not require notification.

The interim final rule states, “if there is no significant risk of harm to the individual, then no breach has occurred and no notification is required.”

“Privacy officers should be breathing a sigh of relief that those faxes sent by mistake to one doctor instead of another, for instance, will not be required to be reported,” Simons says.

In this week’s interim final guidance, HHS added encryption layers to specify the technologies and methods that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” Some of these layers were not specified in the draft guidance released in April.

In the interim final rule, the definitions for acceptable encryption include the following. This guidance will be updated annually:

The definitions for acceptable destruction include the following:

Comments on the provisions of this interim final rule are due on or before October 23, 2009.


  1. Frank Ruelas says:

    I for one was glad to see that the Guidance did not seem to present any “surprises” and for the most part was consistent with the Guidance released back in April.

    Several of the examples given in the Guidance, in my opinion, were very representative of incidents that covered entities are likely to encounter on a recurring basis.

    It appears that this recent Guidance will go far in helping fill in some of the blanks created by the first Guidance as well as answering some of the questions that it likely raised.

    Notably, there didn’t seem to be any responses related to those questions which the first Guidance posed on the technologies and methodologies to render PHI unreadable, unusable, or indecipherable.

    All in all, I think this Guidance this was a step in the right directin.

Leave a Reply