Health Information Management

Understand the economic stimulus package's effects on HIPAA

HIM-HIPAA Insider, February 23, 2009

This week, U.S. President Barack Obama signed into law a $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations, as well as sets aside billions of dollars to invest into electronic health records implementation and exchange. The Act also calls for extended HIPAA security provisions to business associates (BA).

Here is a breakdown of some major effects the stimulus package will have on HIPAA, courtesy of Chris Apgar, CISSP, president, Apgar & Associates in Portland, OR:

  • Breach notification laws now apply to covered entities, BAs and personal health record vendors.
  • Notification is required for the breach of medical information (i.e., PHI) that is not “protected.” Generally this would mean encrypted but the bill is silent on whether the medical information is electronic or paper so it is better to assume that—contrary to most state laws—notification is now also required if there is a breach of paper medical information.
  • Covered entities need to amend BA agreements to reflect the new changes.
  • HHS is required to post a report annually listing all covered entities and BA to which it has levied fines, issued corrective action plans or provided technical assistance to correct a violation.
  • State attorneys general can take action to seek damages and/or fines for privacy and security violations in their states. HHS can trump such action.
  • “Willful neglect” (i.e., knowing a privacy and/or security issue exists but refusing to take action to correct such a deficiency) as defined under the current HIPAA enforcement rule can lead to civil penalties. This stimulus package criminalizes willful neglect. Also, the package permits significantly higher fines.
  • Health information organizations (HIO) and regional HIOs (RHIO) are now categorized as BAs and are now required to abide by HIPAA. Also, BA agreements need to be executed between RHIO or HIO participants and the organization managing the RHIO or HIO.


Most Popular