Jump to Navigation


Immediate Action Required - New HIPAA Breach Notification Regulations Issued

August 24, 2009

On Wednesday, August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued new regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to notify individuals when their health information is breached, implementing provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH) passed in early 2009.

As stated in our recent publication titled "New HIPAA Federal Breach Notification Requirements, July 17, 2009," there was previously no obligation to notify affected individuals of a breach of privacy or security of protected health information. Now, covered entities must notify individuals upon discovering a breach of unsecured protected health information (PHI), and, further, a business associate must notify the affected covered entity upon discovery of the business associate's breach. Please see the above-mentioned publication for a summary of the new notice requirements.

What entities subject to the new law are required to do now to comply:

  • Develop and document policies and procedures for responding to a breach of PHI
  • Train workforce members on how to respond to a HIPAA security breach
  • Have sanctions procedures in place for workforce members who fail to comply with these policies and procedures
  • Permit individuals to file complaints regarding these policies and procedures or a failure to comply with them

The policies and procedures should outline all aspects of how the entity will respond should a breach occur. Specifically, the policies and procedures should allocate notification responsibilities to the appropriate employees; provide a step-by-step policy for how to timely react in the case of a breach; provide sample notification materials to affected individuals, HHS, and the media; provide procedures for investigating and mitigating the damages of the breach; and much more.

The new law becomes effective September 23, 2009. Implementing new policies and procedures and conducting workforce training now will prepare an entity subject to these regulations to comply with the law in the event of a breach, and will eliminate the possibility of failing to timely meet the notification requirements and assist the entity in mitigating the damaging effect of a breach. HHS can impose civil penalties up to $1.5 million per violation per year for non-compliance with these new laws. Do not delay in implementing a program to comply with these new requirements. 

IRS Circular 230 Disclosure: As required by United States Treasury Regulations, you should be aware that this communication is not intended or written by the drafter to be used, and it cannot be used, by any recipient for the purpose of avoiding penalties that may be imposed on the recipient under United States federal tax laws.
Bracewell & Giuliani LLP makes this information available for educational purposes and does not offer specific legal advice or create an attorney-client relationship with the firm. Do not use this information as a substitute for specific legal advice. Attorney advertising.
Bracewell & Giuliani LLP is an international law firm with more than 450 lawyers in Texas, New York, Washington, D.C., Connecticut, Dubai, Kazakhstan and London. We serve Fortune 500 companies, major financial institutions, leading private investment funds, governmental entities and individuals concentrated in the energy and financial services sectors worldwide.