In April 2009, the guidance on HITECH Breach Notification was issued with an appeal for public comments. After consideration of public comments and implementing adequate changes the guidance was reissued as Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information.
Also, the guidance is applicable to unsecured personal health record identifiable health information under the FTC regulations. It states that the covered entities and business associates should only provide required notification if the breach involved unsecured protected health information. As per the guidance, covered entities, business associates, and FTC regulated entities securing guidance specified information are not required for providing notifications following the breach of such information.