New HIPAA rules on information breaches take effect in September

If patient information is stolen, practices must notify the affected patients and, in some cases, the U.S. Department of Health and Human Services and local media, according to new regulations that go into effect on September 23.

"This will be a tremendous burden to small practices," says attorney Ed Gaines, chief compliance officer of Medical Management Professionals Inc. in Greensboro, North Carolina. "The individual medical practices are going to have to be very careful in understanding and analyzing who has what on their computers."

The law was included in the federal stimulus bill, passed in February, as an expansion of HIPAA. While the rule takes effect this month, enforcement won't begin until February 22, 2010.