The U.S. Department of Health and Human Services (HHS) issued proposed information security guidance, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 on February 17, 2009.
The HITECH Act requires covered entities and business associates, as well as others, to provide notice of information security breaches affecting "unsecured protected health information".
The HITECH Act further requires the Secretary of HHS to specify technologies and methodologies that would render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals.
If covered entities, business associates and vendors of personal health records apply the technologies and methodologies specified in the guidance of protected health information, they will not be required to provide notice to affected individuals, HHS or the media, as otherwise required by the HITECH Act, in the event the information is breached.
