CHA News Article

Important Update Made to Privacy Manual Regarding Breaches
Updated chapter will help hospitals understand and implement new DHHS requirements

On Aug. 24, the U.S. Department of Health and Human Services (DHHS) published its interim final rule regarding breach notification requirements for hospitals and other HIPAA-covered entities. The federal rule requires providers to notify the patient and DHHS (and in some cases the media) of a breach of unsecured protected health information that poses a significant risk of financial, reputational or other harm to the patient whose information has been used or disclosed in violation of HIPAA.

The requirements under state breach notification laws differ in many significant respects from the federal rule regarding what constitutes a breach, what must be reported, to whom and by when. California hospitals will have to analyze each potential breach under both state and federal law to determine the appropriate actions to take.

To help hospitals understand and implement the new DHHS requirements, CHA has updated Chapter 12 on breaches of the recently published California Health Information Privacy Manual. The revision includes the details of the new federal requirements, as well as the existing state requirements. A copy of the new chapter will be mailed this week to members who purchased the manual.

The federal breach reporting requirements, as well as information on how to order the manual, are posted under Privacy Tools & Resources.