Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

February 27, 2009

American Recovery and Reinvestment Act Significantly Revises the HIPAA Privacy and Security Rules

The American Recovery and Reinvestment Act (the "Stimulus Package") significantly changes provisions in the HIPAA Privacy and Security Regulations ("the Regulations"), broadening their applicability and creating new provisions that will place new requirements on those covered by the Regulations. These are the first substantial revisions to these laws since they took effect in 2003 and 2005, respectively.

Prior to the Stimulus Package, the Regulations did not directly apply to Business Associates of Covered Entities. Business Associates were subject to contract provisions required in agreements with Covered Entities but regulatory authorities could not enforce the provisions against the Business Associate. The Stimulus Package changes this, expanding enforcement and the scope of the businesses covered by these complex regulations. These changes include:

  • Extension of many provisions of the Regulations to Business Associates; 
  • Expansion of civil and criminal penalties for violation of the applicable Regulations to Business Associates; 
  • Requiring periodic compliance audits of Business Associates by the United States Department of Health and Human Services; and 
  • Expansion of the definition of Business Associate to include those that provide data transmission services and require access to protected health information on a routine basis, as well as vendors that offer personal health records to patients.

The Stimulus Package also creates the first comprehensive security breach notification requirements for "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." Unless an exception applies, the Stimulus Package will require Covered Entities and Business Associates to notify both individuals and the Secretary of Health and Human Services of "unsecured protected health information" breaches.

Where a breach involves more than 500 individuals, notification of prominent media outlets where the individuals reside must occur. "Unsecured protected health information" is defined as protected health information not secured through the use of a technology or methodology to be specified by the Secretary of Health and Human Services annually, as it will release guidance on what technologies and methodologies will render protected health information "unusable, unreadable, or indecipherable to unauthorized individuals." The law requires interim final regulations regarding these provisions within 60 days of February 17, 2009.

Other changes to the Regulations include: 

  • Covered entities are now required to comply with an individual's request to limit access to his/her protected health information. There is an exception for payment or health care operations purposes where the health care provider has not been paid by the individual in full out of pocket;
  • The Secretary of Health and Human Services will issue guidance on what constitutes "minimum necessary" within 18 months after enactment; 
  • New requirements for accounting of disclosures where a covered entity uses or maintains electronic health records; and 
  • Tiered increases of Civil Monetary Penalties up to a maximum of $1.5 million depending on aggravating factors.
    Some groups have criticized the United States Department of Health and Human Services Office of Civil Rights and Centers for Medicare and Medicaid Services for the limited number of enforcement actions taken under the Regulations. The new law gives State Attorneys General the authority to bring suit in federal district court against any person violating the rules on behalf of state residents to enjoin further violation or to obtain damages on behalf of such residents. The Court will be allowed to award attorneys fees to the state in such actions.

The new provisions are extremely detailed and complex and will impact businesses in a variety of ways. In addition, the effective date of the law varies by section. Hiscock & Barclay, LLP has provided counsel to Covered Entities and Business Associates in interpreting the Regulations, training staff, drafting and updating policies and procedures, drafting Business Associate Agreements and responding to investigations by regulatory agencies. Should you have specific questions regarding how the new law impacts your business, please contact Melissa Zambri or any member of our Health Care and Human Services Practice Area.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out