Effective Aug. 18, medical offices must comply with the American Recovery and Reinvestment Act¡¯s new breach notification requirements. The new provision requires covered entities, business associates and personal health record vendors to notify individuals if unsecured protected (or individually identifiable) health information is breached. This applies to electronic and non©\electronic PHI, including information that is more than just health or financial information, as defined in the HIPAA Privacy Rule. Additional privacy and security requirements will take effect in February 2010.

National HIPAA expert, Chris Apgar, CISSP, completed an analysis of the new breach notification requirements, which is posted on the OMA website and will appear as a Medical Issues Brief in the printed version of August STAT, at www.theOMA.org/breachnotification. A complete analysis of all ARRA privacy and security provisions is available on the OMA website at www.theOMA.org/arra and scroll to the Privacy and Security Provisions section. These resources are available only to members; a member login will be needed for access. For login instructions, visit www.theoma.org/Login.asp or contact Stephanie at stephanie@theoma.org or (503) 619-8000.

To help offices prepare for the Aug. 18 deadline, the OMA will host a Breach Notification - Steps to Compliance webinar on Aug. 12 to further explain the new requirements and answer any questions. Two webinar times will be available¨C 10:00 - 10:45 am or 2:00 ¨C 2:45 pm. To register for either webinar, visit www.theOMA.org/stimuluswebinarseries. For further questions, contact Reina at (503) 619-8000.