• E-mail
• Print
• RSS

Understanding the economic stimulus package's effect on HIPAA

Contemporary Long-Term Care Weekly, February 26, 2009

Last week, U.S. President Barack Obama signed into law a $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations, it also sets aside billions of dollars to invest into electronic health records implementation and exchange. The Act also calls for extended HIPAA security provisions to business associates (BA).

Here is a breakdown of some major effects the stimulus package will have on HIPAA, courtesy of Chris Apgar, CISSP, president, Apgar & Associates in Portland, OR:

• Breach notification laws now apply to covered entities, BAs, and personal health record vendors.
• Notification is required for the breach of medical information (i.e., PHI) that is not “protected.” Generally, “protected” would mean electronic information is encrypted but the bill is silent on whether the medical information is electronic or paper so it is better to assume that—contrary to most state laws—notification is now also required if there is a breach of paper medical information.
• Covered entities need to amend BA agreements to reflect the new changes.
• The Department of Health and Human Services (HHS) is required to post a report annually listing all covered entities and BA to which it has levied fines, issued corrective action plans, or provided technical assistance to correct a violation.
• State attorney generals can take action to seek damages and/or fines for privacy and security violations in their states. HHS can trump such action.
• “Willful neglect” (i.e., knowing a privacy and/or security issue exists but refusing to take action to correct such a deficiency) as defined under the current HIPAA enforcement rule can lead to civil penalties. This stimulus package criminalizes willful neglect. Also, the package permits significantly higher fines.
• Health information organizations (HIO) and regional HIOs (RHIO) are now categorized as BAs and are now required to abide by HIPAA. Also, BA agreements need to be executed between RHIO or HIO participants and the organization managing the RHIO or HIO.

• E-mail to a Colleague
• Print
• RSS
• Archive