New regulations are being proposed by the U.S. Dept. of Health and Human Services which would require health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act to notify individuals when their health information is breached.

The “breach notification” regulations implement provisions passed as part of American Recovery and Reinvestment Act of 2009. The regulations will require health care providers and other HIPAA-covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

According to DHHS, the regulations were developed after receiving public comment and after consultation with the Federal Trade Commission. The FTC has proposed companion breach notification rules that apply to vendors of personal health records and certain others not covered by HIPAA, including business who allow individuals to maintain their medical information online.