The U.S. Department of Health and Human Services (HHS, Washington) has outlined guidance in the technologies and methodologies regarding protected health information as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009. The guidance was developed, according to HHS, by through a joint effort by the HHS Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and Centers for Medicare and Medicaid Services.
The outline relates to two forthcoming breach notification regulations — one from HHS under the Health Insurance Portability and Accountability Act, and the other from the Federal Trade Commission for vendors of personal health records and other non-HIPAA covered entities, says HHS. HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached, says the organization.
In addition to this guidance, HHS has also issued a request for information soliciting public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance. The guidance and request for information are available online. Once published in the Federal Register, both will be available for public comment.