Breach Notification for Unsecured Protected Health Information

The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to require notification of breaches of unsecured protected health information. Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009, requires HHS to issue interim final regulations within 180 days to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide notification in the case of breaches of unsecured protected health information. For purposes of determining what information is "unsecured protected health information," in this document HHS is also issuing an update to its guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.