WASHINGTON – The Department of Health and Human Services issued new regulations Wednesday requiring healthcare providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify patients if their electronic health information has been breached.

The regulations are mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA) last February.

Developed by the HHS Office for Civil Rights, they require healthcare providers and other HIPAA "covered entities" to promptly notify people whose health records have been breached, as well as the HHS Secretary and the media in cases where a breach affects more than 500.

Covered entities include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies – if they transmit any information in an electronic form using a standard that HHS has adopted.

According to the OCR, the rule also applies to health insurance companies, HMOs, company health plans and government programs that pay for healthcare, such as Medicare, Medicaid and the military and veterans' health care programs. It includes healthcare clearinghouses that process non-standard health information received from another entity into a standard electronic format or data content, or vice versa.

"This new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director and principal deputy director of the OCR. "These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information."

HHS officials said they developed the regulations after taking public comment last April and under "close consultation" with the Federal Trade Commission). The FTC has issued its own breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.

To help providers to determine when information is "unsecured" and notification is required by the HHS and FTC rules, HHS is also issuing an update to its guidance on encryption and destruction of technologies that are no longer usable. Providers that are subject to the HHS and FTC regulations that secure electronic health records according to HHS guidance through encryption or destruction are relieved from having to notify in the event of a breach. This guidance will be updated annually.

The HHS interim final regulations on breach notification will be effective 30 days after they are published in the Federal Register and will include a 60-day public comment period.