Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search
Advisories
Healthcare

HITECH Breach Notification: A Blizzard of Activity

By Rebecca L. Williams, Paul T. Smith and Helen E. Ovsepyan
02.22.10
Share
Print this page

While Washington, D.C., is digging out of its largest blizzard in decades, the health care industry, too, is trying to weather storm after storm of compliance obligations under the Health Information Technology for Economic and Clinical Health Act (HITECH). Feb. 22, 2010, marks the enforcement date for the health information security breach notification requirements under HITECH, followed a week later by the submission date for breach reports to the federal government.

Covered entities and business associates should be ready to comply with the breach notification requirements including having policies and procedures in place. Covered entities also should be prepared to submit reports to the Department of Health and Human Services (HHS) of any breaches that occurred during the last quarter of 2009.

Enforcement of the federal breach notification requirements

By way of background, HITECH created the first federal health information breach notification mandate and called on HHS to promulgate regulations within six months after its enactment. HHS issued interim final breach notification regulations on Aug. 24, 2009, which became effective on Sept. 23, 2009.

Recognizing the Herculean efforts required for the health care industry to comply with these extensive requirements, HHS said that it would use its enforcement discretion to not impose sanctions for failure to provide notification for breaches that were discovered before Feb. 22, 2010. Beginning on this date, however, HHS can be expected to start enforcing the breach notification requirements.

In a nutshell, covered entities and business associates must provide notification of breaches of unsecured protected health information if the breach poses a significant risk of harm to the individual. Business associates must notify their affected covered entities. Covered entities must notify the affected individuals, HHS, and, if more than 500 individuals in a state or jurisdiction are affected, the media. Notification must be made without unreasonable delay, but in no event more than 60 days from the date of discovery, and must comply with the specific HITECH requirements. For more detailed information on the requirements, please see our Aug. 25, 2009, advisory, "HHS Issues Rule on Breach Notification for Unsecured Protected Health Information."

Data breach reporting to HHS

Under the HITECH breach notification requirements, covered entities must notify HHS of all reportable breaches. The timing of the notification varies with the scope of the breach. For breaches involving fewer than 500 individuals in a state or jurisdiction, covered entities must maintain a log of such breaches and provide that log to HHS annually no later than 60 days following the end of the calendar year. Breaches involving 500 or more individuals in a state or jurisdiction require reporting to HHS contemporaneously with notification to the affected individuals.

Within 60 days of the end of each calendar year (March 1, by our calculation for this year), covered entities must provide HHS with information about breaches involving fewer than 500 individuals that occurred in the previous calendar year. Reporting in 2010 need cover only those breaches occurring from Sept. 23 to the end of 2009. Reporting must be in the manner specified on the HHS Web site.

Notification must be made electronically through the Web site and must include detailed information about each individual breach. Although HITECH requires covered entities to maintain and submit an annual log of breaches to the HHS, the Web site requires a separate incident report for each breach, containing the same information that is required for breaches involving more individuals. 

Related Articles

2025
Feature
Financial Services
New Administration Outlook: Helping You Navigate Post-Election Uncertainty in 2025 and Beyond Read More External Link
03.25.25
Publications
Artificial Intelligence
Co-author, "Privacy Law Issues for Developers and Deployers of Generative Artificial Intelligence," LexisNexis Read More External Link
02.27.25
Webinars
Privacy & Security
"Securing Americans' Sensitive Data: Understanding the DOJ's New Final Rule," Davis Wright Tremaine Webinar Read More
DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO

SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.