Two new rules were created this week requiring health care organizations, and other entities that interact with personal health records (PHRs), to issue notifications in the event of a data breach. Breaches affecting fewer than 500 individuals must be reported to the HHS annually. The key rule, issued Wednesday by the U.S. Department of Health and Human Services (HHS), requires health organizations subject to Health Insurance Portability and Accountability Act regulations to notify individuals whose information has been breached, when the breach affects more than 500 people.
Source: https://threatpost.com/health-care-breach-notification-mandated-082409/72951/