Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ARRA/HIPAA Breach Reporting Dates Approaching

Published: 2009-06-06
Last Updated: 2009-06-06 17:32:12 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

September 14th, 2009 or "thereafter"

The American Recovery and Reinvestment Act of 2009 was signed into law on February 17, 2009. The "Breach" notification portion of the law goes into effect 30 days after the Secretary of HHS "promulgates" "interim final regulations". Although those are not "promulgatedt" yet, a date can be calculated.

The way I calculate this, August 16th would be when the last day "interim final regulations" could be published, add 30 days, and the notification requirements "will apply to breaches of unsecured PHI" on September 14th, 2009 or "thereafter".

American Recovery and Reinvestment Act of 2009, Subtitle D—Privacy, Sec. 13402. Notification in the case of breach.

Related Diary

Unusable, Unreadable, or Indecipherable? No Breach reporting required

0 comment(s)
Diary Archives