Time to revisit your firm’s existing privacy policies. The U.S. Department of Health and Human Services (HHS) just issued new regs about notifying an individual when a health info breach occurs.
Under the new HHS regs, any providers, administrators and other entities covered by the Health Insurance Portability and Accountability Act — part of Obama’s American Recovery and Reinvestment Act of 2009 — are required to notify the HHS secretary, the media and the affected individual when a breach of private health info occurs.
What employers should know: The time frame in which a breach must be reported to the HHS depends on the size of breach. Here are two examples:
- If a health info breach affect more than 500 people, the HHS secretary and the media must be notified “promptly.”
- If a breach affects fewer than 500 people, it needs to be reported to the HHS within one year.