Breach Notification Rules

Breach Notification Rules

The intent of this paper is to define breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) in the United States (U.S.) and to discuss their objectives and purpose. To achieve this end, it is necessary to conduct a background analysis of the HIPAA breach notification rules. In addition, an evaluation of these rules will be highlighted. Moreover, the impact of the Final Omnibus Rule (FOR) of 2013 on breach notification rules will be emphasized. Finally, the way head will be underscored.

Background

In August 1996, President Bill Clinton signed HIPAA, which is the single most significant federal legislation affecting the U.S. health care industry since the creation of the Medicare and Medicaid programs in 1965. The five primary goals of the HIPAA legislation are:

1. To improve portability and continuity of health insurance coverage for individuals and groups.

2. To combat fraud, waste, and abuse in the health care industry.

3. To promote the use of medical savings accounts.

4. To improve access to long-term health care services and coverage.

5. To establish standards for administrative simplification (HIPAA, 1996).

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, which enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was published in the Federal Register on August 24, 2009 by the Department of Health and Human Services (HHS), and became effective on September 23, 2009. During the sixty-day public comment period on the Interim Final Rule (IFR), HHS received approximately 120 comments (Coffield, 2009).

HITECH Act requires the covered entity (CE) and the business associate (BA) under HIPAA to provide notification of breaches of unsecured protected health information (PHI). PHI is...