As we previously have noted, the Department of Health and Human Services recently issued an interim final rule under the HITECH Act requiring HIPAA-covered entities to notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach of unsecured protected health information.  Employers who sponsor self-insured group health plans need to take immediate action to ensure compliance with the new rule. Among other things, employers should be modifying written HIPAA privacy policies and procedures, training plan sponsor workforce members who are authorized to have access to protected health information, and modifying business associate agreements. A copy of Porter Wright’s Employee Benefits Practice Group’s Law Alert, which addresses the interim final rule from the perspective of the self-insured group health plan, can be found here.