The American Recovery and Reinvestment Act of 2009 (ARRA), the economic stimulus legislation recently signed by President Obama, contains significant changes to the Health Insurance Portability and Accountability Act (HIPAA) and the present health information privacy protection regime. Most notably for employers and healthcare providers, ARRA, in part, provides:
- New breach notification requirements for “covered entities”. ARRA requires covered entities to notify individuals in writing if their personal health information (PHI) is disclosed, lost or otherwise compromised. The notices must be given within sixty (60) days of discovering the breach; if the breach involves 500 or more individuals, such covered entity must inform the Department of Health and Human Services (HHS) and “prominent media outlets serving a state or a jurisdiction.”
- Business Associates are now subject to HIPAA. Third-party administrators, health information technology vendors, benefit providers and consultants are now subject to HIPAA rules and regulations. Please note that this change in particular may require a review of existing Business Associate Agreements as well as revision of any new BAA's entered into.
- State Attorneys General may now bring suits seeking statutory damages and attorneys’ fees for HIPAA violations. Previously, such enforcement was exclusively limited to the Office of Civil Rights within HHS.
- As well as many other changes, including a prohibition on sale of personal health records, further restrictions on marketing and fundraising communications to patients, and new requirements for accounting of disclosures of PHI.