On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (“ARRA”). Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act) and specifically Subtitle D calls for new regulations and requirements to protect the privacy of health-related information that previously fell under HIPAA.
Under the HITECH Act, entities will be required to notify individuals as to a breach of their personal health information (PHI) unless it is encrypted. The breach notification must be made without unreasonable delay and within no more than 60 days following the detection of the breach. If the breach involves more than 500 individuals, then the Department of Health and Human Services (“HHS”) must also be notified as well as “prominent media outlets” in the applicable area. HHS will also be publishing the names and details of these reckless wrongdoers (my words not theirs) on their website.
This will effectively make this the first Federal data breach notification law in the country, and will be just one more item that needs to be added to the ever expanding data breach procedures at any organization that handles, owns or processes this type of information.
More information in the link http://waysandmeans.house.gov/media/pdf/110/hit2.pdf
