On Friday The U.S. Department of Health and Human Services (HHS) published materials on how to secure and protect health information. The materials, which build on existing HIPAA requirements but do not change them, were required by the American Recovery and Reinvestment Act.

"Protecting patient privacy is a top priority and this guidance specifies proactive steps organizations can take to limit the potential harm a breach can cause," said HHS spokesman Nick Papas in a press release.

The guidance provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to "breach notification" regulations, which will be issued by HHS and the Federal Trade Commission respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.