HHS Issues Guidance on Security Technologies for Breach of Health Records

Under the new breach notification requirements for health records imposed by the American Recovery and Reinvestment Act of 2009 (ARRA), individuals do not have to be notified if the information that was breached was rendered “unusuable, unreadable, or indecipherable” through the use of a technology or methodology by the Secretary of the Department of Health and Human Services (HHS).  Today, HHS published those recommendations and asked for public comment, which is relevant to the breach notification rules that will be enforced by the Federal Trade Commission and apply to vendors of personal health records and other related entities and to the notification rules that apply to entities covered by HIPAA (the Health Insurance Portability and Accountability Act).   In the same posting, HHS issued a request for information (RFI) seeking public input on how the agency should implement the new HIPAA breach notification requirements.  The stated purpose of the RFI is to inform HHS‘ rulemaking on these provisions (which must be issued no later than August 17, 2009).  FTC issued its proposed rules yesterday.  Comments on the guidance and any response to the RFI are due May 21, 2009.  CDT intends to submit comments on the guidance and responses to the RFI.