August 24, 2009, HHS issued the Breach Notification for Unsecured Protected Health Information; Interim Final Rule. The rule requires certain health care facilities to notify patients of privacy breaches of their unsecured health information. On September 23, 2009 the IFR went into effect for both covered entities and business associates. On February 18, 2010, enforcement of the IFR began for both covered entities and business associates. After months of comment review and crafting of the final rule, HHS recently submitted it to the Office of Management and Budget. The OMB review is the final step before releasing the final rule.
On July 28, 2010, HHS announced the withdrawal of the the rule “to allow for further consideration, given the department’s experience to date in administering the regulations.” While the final rule is on hold the IFR remains in effect. HHS says it plans to publish the final rule in the coming months.
In additional HIPAA news, HHS issued a NPRM for modifications to the HIPAA Privacy,Security, and Enforcement Rules Under the HITECH Act on July 14, 2010. The rule proposes modifications to the Privacy Rule, the Security Rule, and the Enforcement Rule issued under the HIPAA of 1996. The purpose of these modifications is to implement recent statutory amendments under the HITECH Act to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA Rules. The comment period is open until September 13, 2010.