Time to revisit your firm’s existing privacy policies. The U.S. Department of Health and Human Services (HHS) just issued new regs about notifying an individual when a health info breach occurs.

Under the new HHS regs, any providers, administrators and other entities covered by the Health Insurance Portability and Accountability Act — part of Obama’s American Recovery and Reinvestment Act of 2009 — are required to notify the HHS secretary, the media and the affected individual when a breach of private health info occurs.

What employers should know: The time frame in which a breach must be reported to the HHS depends on the size of breach. Here are two examples:

1. If a health info breach affect more than 500 people, the HHS secretary and the media must be notified “promptly.”
2. If a breach affects fewer than 500 people, it needs to be reported to the HHS within one year.

Tags: Breach, Health info, Health Insurance Portability and Accountability Act, Regs, The U.S. Department of Health and Human Services