HHS guidance builds on HIPAA privacy, security rules

The Department of Health and Human Services (HHS) Friday published a guidance targeting technologies and methodologies to secure health information by rendering health data unusable, unreadable, or indecipherable to unauthorized individuals, as required by the American Recovery and Reinvestment Act of 2009 (ARRA).

The release comes on the heels of an proposed rule issued by the Federal Trade Commission (FTC), also as required by the ARRA, regarding consumer notification by personal health records' (PHRs) vendors when a breach has occurred. "Protecting patient privacy is a top priority and this guidance specifies proactive steps organizations can take to limit the potential harm a breach can cause," said HHS Spokesman Nick Papas.

The HHS guidance provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to "breach notification" regulations, which will be issued by HHS and the FTC respectively.

The HHS regulations will apply to entities covered by HIPAA and the FTC regulation will apply to PHR vendors and certain others not covered by HIPAA.

The ARRA requires that these regulations be published within 180 days of enactment.

The guidance, developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare & Medicaid Services (CMS), can be read by visiting www.hhs.gov/ocr/privacy.

HHS said the guidance must be updated annually but it can be updated and reissued this year, after public comment is considered and at the same time HHS's breach notification regulation is published.