WASHINGTON – The Department of Health and Human Services has issued guidance on how to comply with the security specifications found in the economic recovery package.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA) in February, requires providers to use certain technologies and methodologies to keep protected health information unusable, unreadable or indecipherable to unauthorized individuals.
The guidance was developed through a joint effort by the HHS Office for Civil Rights, the Office of the National Coordinator for Health Information Technology, and the Centers for Medicare and Medicaid Services.
The guidance includes to two forthcoming breach notification regulations - one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and one to be issued by the Federal Trade Commission for vendors of personal health records and other non-HIPAA covered entities.
HITECH requires these regulations to be published within 180 days of enactment.
If those subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.
HHS has also called for public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance.
The guidance and request for public comment are available online and will also be published in the Federal Register.
