• Home
  • Blog
  • Contact

Call us toll free 0800 0000 900

support@hipaa.com
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Six Primary Goals of the HITECH Breach Notification Requirement

December 2, 2009 Health IT and HITECH No Comments

The first part of the HITECH Act is called “Improved Privacy Provisions and Security Provisions”. Section 13402 is the section that starts the discussion of privacy and security and is titled “Notification in case of breach”. This section accomplishes the following:

  1. Identifies who this section applies to: Covered Entities and Business Associates.
  2. Defines the time frame as to when breaches should be reported to individuals, and depending on severity, mass media, and the Department of Health and Human Services (HHS).
  3. The type of information that must appear in the notification letters.
  4. Definition of Unsecured Protected Health Information. Note that the HITECH Act delegated the final definition to the HHS vis a vis a “guidance”. The guidance was issued on 4/27/2009 in the Federal Register.
  5. Requires HHS to report to Congress no later than 12 months after the date of enactment the nature of the breaches that occurred.
  6. Time period of when the final regulations go into effect.

Section 13402 of the HITECH Act sets a very important precedent and provides notice to the healthcare industry that the Federal government is serious about securing health records. Another purpose of the HITECH Act is to incentivize healthcare providers to move from paper to electronic records. Confidence in the security of those electronic records is crucial to the adoption of electronic health records and in general, is good public policy.

It should be noted that Congress essentially delegated the details of how the breach notification law is to be executed (know as a rule)  to HHS. In August, 2009 HHS issued the interim final rule on breach notification and the rule went into effect in September, 2009. However, enforcement will not officially start until February, 2010, although HHS reserves the right to enforce the rules prior to February, 2010 as it sees fit.

Tags: American Recovery and Reinvestment ActBreach Notificationbusiness associatecovered entityHITECH ActPHIprotected health information
No Comments
Share
0

You also might be interested in

HIPAA Final Rule: Enforcement–Factors for Determining Civil Money Penalties for HIPAA Violations

Feb 25, 2013

February 25, 2013.  Today, we examine factors considered in determining[...]

Facility Access Controls: Maintenance Records-What to Do and How to Do It

Apr 29, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

Final HIPAA Rule: Security Statutory Authority and Direct Regulation of Business Associates

Feb 4, 2013

February 4, 2013.  Today, we cover the security safeguards of[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message

© 2023 · hipaa.com

Prev Next