HIPAA Breach Notification Rule Now In Effect for Physicians

Location: Home > Advocacy > Endocrine Insider > EI_Pageset_Sept302009

Endocrine Insider
September 30, 2009

(See full issue)

Effective September 23, 2009, HIPAA-covered entities, including physicians and health care providers, health plans, and health care clearinghouses, are required to notify patients, the Secretary of the Department of Health and Human Services (HHS), and in some cases the media, if breaches of security involving personal health information (PHI) are discovered. Though the rule took effect on September 23, HHS has stated that it will not impose sanctions or financial penalties for breaches discovered before February 22, 2010.

Established under the American Recovery and Reinvestment Act of 2009, a breach is defined as the acquisition, access, use, or disclosure of unsecured PHI not permitted by HIPAA Privacy Rules and which compromises the security or privacy of the PHI. HIPAA covered entities are required to notify the affected individuals without unreasonable delay and not later than 60 calendar days after the discovery of a breach. In cases involving the breach of more than 500 individuals’ PHI, the media must also be notified.

The American Medical Association has created a helpful document outlining what physicians need to know regarding the new HIPAA breach notification rule, which is available by clicking here.