HIPAA Breach Notification Rules
The new interim HIPAA Rules concerning Health IT data security take effect today, Sept 23rd. The new HIPAA rules cover any unauthorized access or disclosure of "unsecured" PHI (Protected Health Information).
The new rules are intended to ensure patient confidentiality, but there is some controversy over the "harm threshold" provision.
Congress intended for the federal rule to incentivize proactive data protection measures, such as encryption. For example, if the data involved in a breach is rendered unusable by encryption, companies do not have to issue breach notifications, the interim final rule states.
However, privacy groups are dismayed that a provision of the rule would allow Healthcare entities to opt-out of notification requirements under certain circumstances.