Last week, the U.S. Department of Health and Human Services (HHS) released interim final regulations on the notification requirements for breaches of unsecured protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The guidance addresses a number of important changes to the HIPAA Privacy Rule that were introduced on February 17, 2009, under the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act requires covered entities to notify affected individuals and HHS (and in the case of breaches affecting 500 or more individuals, the media) upon discovery of an impermissible use or disclosure of PHI.

Notification is required only if the breach involves unsecured PHI that poses a significant risk of financial, reputational, or other harm to the individual involved. The inclusion of a harm threshold in the final regulations requires covered entities to complete a risk assessment after the discovery of a breach. The regulations also set forth how and when notification must be provided to affected individuals, the Secretary of HHS, and the media and the measures that covered entities should take when they have insufficient contact information for 10 or more affected individuals.

The regulations were published yesterday, August 24, 2009, in the Federal Register and are effective for breaches occurring on or after September 23, 2009. Given the short period of time until the effective date, HHS and the Federal Trade Commission—which has issued similar breach notification rules affecting personal health records—have announced that they will not impose sanctions for noncompliance until 180 days after the publication date of the regulations.

In earlier guidance, HHS defined measures that covered entities could take to prevent information from being treated as unsecured for these purposes. To learn more about that guidance, click here to read our alert dated April 24, 2009. This guidance also becomes effective on September 23, 2009.

Ballard Spahr's Employee Benefits and Executive Compensation Group and Health Care Group are reviewing these regulations and will discuss them in more detail during their "HIPAA Days Are Here Again" seminarbeing offered both in our Philadelphia office and live via webinar on September 15, 2009. Click here to register.

Contact Information

If you have any questions about these new regulations, please contact one of the following:

Jean C. Hemphill (215.864.8539;

Edward I. Leeds (215.864.8419;

Copyright © 2009 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This newsletter is a periodic publication of Ballard Spahr LLP and is intended to alert the recipients to new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer concerning your situation and specific legal questions you have.