Breach notification and the law.

: The American Medical Association Council on Ethical and Judicial Affairs (CEJA) has written a position paper on physicians' ethical responsibilities in the event that the security of patients' electronic health information has been breached. The report offers compelling ethical and practical justifications for notification requirements and articulates guidelines for clinicians. This commentary addresses a gap in the report. It outlines the new legal duty to disclose security breaches, established by the 2009 HITECH Act, which is only briefly mentioned in the report. The commentary also analyzes the CEJA recommendations in light of the legal mandate and suggests that the guidance would benefit from further clarification.