The first part of the HITECH Act is called “Improved Privacy Provisions and Security Provisions”. Section 13402 is the section that starts the discussion of privacy and security and is titled “Notification in case of breach”. This section accomplishes the following:
- Identifies who this section applies to: Covered Entities and Business Associates.
- Defines the time frame as to when breaches should be reported to individuals, and depending on severity, mass media, and the Department of Health and Human Services (HHS).
- The type of information that must appear in the notification letters.
- Definition of Unsecured Protected Health Information. Note that the HITECH Act delegated the final definition to the HHS vis a vis a “guidance”. The guidance was issued on 4/27/2009 in the Federal Register.
- Requires HHS to report to Congress no later than 12 months after the date of enactment the nature of the breaches that occurred.
- Time period of when the final regulations go into effect.
Section 13402 of the HITECH Act sets a very important precedent and provides notice to the healthcare industry that the Federal government is serious about securing health records. Another purpose of the HITECH Act is to incentivize healthcare providers to move from paper to electronic records. Confidence in the security of those electronic records is crucial to the adoption of electronic health records and in general, is good public policy.
It should be noted that Congress essentially delegated the details of how the breach notification law is to be executed (know as a rule) to HHS. In August, 2009 HHS issued the interim final rule on breach notification and the rule went into effect in September, 2009. However, enforcement will not officially start until February, 2010, although HHS reserves the right to enforce the rules prior to February, 2010 as it sees fit.