|<  <<  <  Page 1 of 109  >  >>  >|    Search Page    Contents Page

Federal Register – Breach Notification for PHI (Interim Final Rule)

Monday, August 24, 2009

Part II

Department of Health and Human Services

45 CFR Parts 160 and 164

Breach Notification for Unsecured Protected Health Information; Interim Final Rule

42740 Federal Register

Vol. 74, No. 162

Monday, August 24, 2009

Rules and Regulations

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991–AB56

Breach Notification for Unsecured Protected Health Information

AGENCY:      Office for Civil Rights, Department of Health and Human Services.
ACTION:      Interim final rule with request for comments.
SUMMARY:     The Department of Health and Human Services (HHS) is 
             issuing this interim final rule with a request for 
             comments to require notification of breaches of unsecured 
             protected health information. Section 13402 of the Health 
             Information Technology for Economic and Clinical Health 
             (HITECH) Act, part of the American Recovery and 
             Reinvestment Act of 2009 (ARRA) that was enacted on 
             February 17, 2009, requires HHS to issue interim final 
             regulations within 180 days to require covered entities 
             under the Health Insurance Portability and Accountability 
             Act of 1996 (HIPAA) and their business associates to 
             provide notification in the case of breaches of unsecured 
             protected health information. For purposes of determining 
             what information is ‘‘unsecured protected health 
             information,’’ in this document HHS is also issuing an 
             update to its guidance specifying the technologies and 
             methodologies that render protected health information 
             unusable, unreadable, or indecipherable to unauthorized  
             individuals.
DATES:       Effective Date:
               This interim final rule is effective September 23, 2009.
             Comment Date: 
               Comments on the provisions of this interim final rule 
               are due on or before October 23, 2009. Comments on the 
               information collection requirements associated with this 
               rule are due on or before September 8, 2009.
ADDRESSES:   You may submit comments, identified by RIN 0991–AB56, by 
             any of the following methods (please do not submit 
             duplicate comments):
             *Federal eRulemaking Portal: 
               http://www.regulations.gov. 
               Follow the instructions for submitting comments. 
               Attachments should be in Microsoft Word, WordPerfect, or 
               Excel; however, we prefer Microsoft Word.
             *Regular, Express, or Overnight Mail: 
               U.S. Department of Health and Human Services, 
               Office for Civil Rights, 
               Attention: HITECH Breach Notification, 
               Hubert H. Humphrey Building, 
               Room 509F, 200 Independence Avenue, SW.,
               Washington, DC 20201. 
               Please submit one original and two copies.
             *Hand Delivery or Courier: 
               Office for Civil Rights, 
               Attention: HITECH Breach Notification, 
               Hubert H. Humphrey Building, 
               Room 509F, 200 Independence Avenue, SW., 
               Washington, DC 20201. 
               Please submit one original and two copies. (Because 
               access to the interior of the Hubert H. Humphrey 
               Building is not readily available to persons without 
               federal government identification, commenters are 
               encouraged to leave their comments in the mail drop 
               slots located in the main lobby of the building.) 
             Inspection of Public Comments:
               All comments received before the close of the comment 
               period will be available for public inspection, 
               including any personally identifiable or confidential 
               business information that is included in a comment. We 
               will post all comments received before the close of the 
               comment period at http:// www.regulations.gov. Because 
               comments will be made public, they should not include 
               any sensitive personal information, such as a person’s 
               social security number; date of birth; driver’s license 
               number, state identification number or foreign country 
               equivalent; passport number; financial account number; 
               or credit or debit card number. Comments also should not 
               include any sensitive health information, such as 
               medical records or other individually identifiable 
               health information.
             Docket: 
               For access to the docket to read background documents or 
               comments received, go to http:// www.regulations.gov or  
               U.S. Department of Health and Human Services, 
               Office for Civil Rights, 
               200 Independence Avenue, SW., 
               Washington, DC 20201 (call ahead to the contact listed 
               below to arrange for inspection).
FOR FURTHER  Andra Wicks,
INFORMATION  202–205–2292.
CONTACT: 

|<  <<  <  Page 1 of 109  >  >>  >|    Search Page    Contents Page
© 2003-2018 First Clinical Research LLC.  Trademark Notice  Terms & Conditions  Privacy Statement  Site Map