The new rules, part of the Health Information Technology for Economic and Clinical Health Act, require healthcare providers and other HIPAA-covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals, according to the release. Breaches that affect less than 500 individuals will be reported to HHS annually.
Business associates of covered entities will be required to notify the entity of any breaches at or by the associate, according to the release.
Additionally, HHS has issued an update to its guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals, which will be updated annually.
Read the HHS news release about the new healthcare information breach notification regulations.
