Law requires health data breach notifications

The recently enacted economic stimulus law includes new requirements for how companies must notify people of breaches to their protected health information. Some experts say the rules could lead to federal breach notification requirements for other types of data.

Health data experts are still studying provisions in the $787 billion spending law that will expand what health care-related businesses are required to do when they discover unsecured, protected medical data has been breached.

The law gave the Health and Human Services Department 60 days to issue guidance on the types of technologies and methodologies that should be used to make protected health information secure -- unusable, unreadable or indecipherable to unauthorized people.

Under the new law if a health care provider, health plan administrator or health care clearing house covered under the Health Insurance Portability and Accountability Act (HIPAA) has a breach to the personal medical data it holds which is not secured in the way HHS recommends, that organization will have to notify within 60 days each person whose data is believed to have been compromised. Companies that work with those entities that handle the medical data will also have to notify the company they work for if a breach is believed to have occurred on their watch.

“It is a big change in terms of the scope of the laws…and it now establishes a federal standard so regardless of what state you do business in, if you do business in the health industry, you are likely to be subject to these breach requirements,” said Kathryn Roe, an attorney focused on health care with the firm Neal, Gerber and Eisenberg in Chicago.

Federal lawmakers have made several recent attempts to pass national data notification requirements for data breaches of all kinds, but thus far those efforts have stalled and states have promulgated their own requirements. Without a national rule for data breach notifications, more than 40 states have developed their own data breach notification requirements.

Lisa Sotto, head of the privacy and information management practice at law firm of Hunton and Williams and an expert on privacy and data security, said the current situation is complex because data breaches rarely affect residents of just one state and laws often differ.

“I think what could happen here is this could set the bar and become the standard of data compromises of other types of sensitive personal data,” Sotto said.

The new law, only applicable to protected medical data, requires that individuals affected by the breach are notified in writing and that local news media are alerted of the breach in cases where more than 500 people are believed to have been affected. The provisions also require the companies to notify HHS of any breach and to do so immediately if it involved 500 people or more. HHS will post on its Web site a list of the HIPAA-covered entities involved in the breach if the problem reaches the threshold of 500 people having been involved.

Pam Dixon, executive director of the public research group World Privacy Form, said the law was also significant because it includes requirements for organizations not covered under HIPAA. She added that the law was an acknowledgment that certain kinds of data need more protection.

Regardless of how they are made, breach notifications, to the extent possible, will have to include:

  • A description of what happened, including when the breach occurred and when it was discovered.
  • A description of the types of unsecured protected health information that was breached.
  • The steps individuals should take to protect themselves against potential harm from the breach.
  • A description of what the covered entity involved is doing to investigate the breach, mitigate losses and prevent future breaches.

HHS also was given one year to submit to Congress what will be the first of an annual report on medical data breaches that have occurred and what was done in response to them. The department also was given 180 days to disseminate interim final regulations to enact the law’s requirements.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.