On August 24, 2009, the U.S. Department of Health and Human Services ("HHS") published its interim final rule in the Federal Register, thereby implementing the HITECH Act. The Act’s breach notification rules will become effective on September 23, 2009 — fewer than 30 days away.
Therefore, as the Act relates to employer-sponsored group health plans and health care providers, any breaches of protected health information (PHI) that occur on or after September 23rd must be reported to the affected individuals and, when the breach impacts 500 or more individuals, to HHS and the media. Covered entities must make annual reports of breaches of PHI impacting fewer than 500 individuals. Beginning on September 23rd, business associates also will be required to notify the group health plan or health care provider for which they are providing services of any breaches occurring at or caused by the business associate.
Porter Wright has issued two Client Alerts on the HITECH Act, one at the time the statute was enacted and one earlier this week when the interim final rule was published. Those Alerts, which more fully discuss the impact of the HITECH Act, can be found here and here.