New rules on notice requirements for breach of unsecured HIPAA protected health information

On August 24, 2009, the Department of Health and Human Services (HHS) issued important new rules to implement the breach notification requirements enacted under the American Recovery and Reinvestment Act of 2009 (ARRA). These new HHS rules require employers who sponsor self-insured group medical plans to take certain compliance actions in a fairly short time timeframe.


ARRA imposes a new requirement on entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – such as employer-sponsored group medical plans and their business associates – requiring them to notify affected individuals, the Secretary of HHS and, in certain circumstances of breaches affecting at least 500 residents of a state, the media, following a breach of unsecured protected health information.

The new regulations clarify that HIPAA protected health information (PHI) will be considered to be “unsecured” unless the information is secured using methods prescribed in the regulations. The regulations define a “breach” as a use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Regulations, and require that entities subject to HIPAA perform a risk assessment to determine if there is a significant risk of financial, reputational, or other harm to the individual as a result of the impermissible use or disclosure.

Finally, the regulations prescribe rules for the timing, content and method of notification to individuals, the media and HHS.


The new regulations are effective for breaches occurring on or after September 23, 2009.  However, in recognition of the time that it will take group medical plans and their business associates to implement necessary policies and actions, the HHS has stated that they will not impose sanctions for failure to provide the required breach notifications for breaches that are discovered before February 22, 2010.


Under the new law, there are significant civil penalties that can be imposed, and authority has been granted to state attorneys general to bring civil actions against employers that fail to comply with the requirements.


McAfee & Taft recommends that plan sponsors of self-insured medical plans take immediate steps to:

  • Determine to what extent they can meet the new safe harbor guidelines for securing PHI.
  • Develop appropriate procedures and policies.
  • Develop breach notice forms.
  • Train workforce members involved in plan administration on the detailed requirements of the new rules.
  • Review and revise business associate contracts.

These new regulations will be discussed further at the upcoming McAfee & Taft Labor & Employment and Employee Benefits client seminars scheduled for October 2nd in Oklahoma City and for October 7th in Tulsa.

Further, we will be following up individually with our clients for whom we have previously assisted with HIPAA Privacy and Security implementation programs.

If we have not previously helped your company with HIPAA implementation and you have questions or need assistance with the new rules, please contact John Papahronis at (405) 552-2231.