Breach Rule

As part of the American Recovery and Reinvestment Act (ARRA) of 2009, a law entitled Health Information Technology for Economic and Clinical Health (HITECH) sought to strengthen the privacy and security provisions of 1996's Health Insurance Portability and Accountability Act (HIPAA).

The Department of Health and Human Services (HHS) then issued specific regulations concerning breaches of personal health information (PHI) by covered entities and their business associations who work with, retain, store and transmit health information.

The breach rule requires all those handling "unsecured" PHI to notify the affected individuals when their information has been breached, and in cases involving 500 or more individuals, to notify HHS and its Office of Civil Rights (OCR) as well as the media. For smaller breaches, reporting to HHS can be done on an annual basis.

The key word here is "unsecured," which HHS defined as meaning either the information has been so encrypted as to be undeciperable or the information has been destroyed.