The recently enacted American Recovery and Reinvestment Act of 2009 (ARRA) includes new requirements under the Health Insurance Portability and Accountability Act.
Also known as the economic stimulus package, ARRA extends HIPAA's privacy and security rules to “business associates” of a covered entity. A business associate is a person or entity who performs, on behalf of a covered entity, a function or activity involving the use or disclosure of individually identifiable health information.
The new law also includes requirements for notifying individuals whose information may has been accessed during a breach. The law requires that in the case of a breach of protected health information, a covered entity must notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such a breach.
The law also requires business associates to notify the covered entity when they discover a breach of protected health information. The notification must include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed during the breach.
Covered entities and business associates must provide the notification of a breach “without unreasonable delay” (but no later than 60 calendar days), unless a delay is needed for law enforcement purposes (that is, a law enforcement official determines that a notification, would impede a criminal investigation or cause damage to national security).
The law also requires a notice to the media (for breaches affecting more than 500 individuals in a jurisdiction) and to the head of the Department of Health and Human Services.
ARRA requires that the Department of Health and Human Services issue interim final regulations relating to the requirements for breaches within 180 days of enactment, which occurred on February 17, 2009.
Under the law, civil penalties for HIPAA violations rise to $50,000 per violation (effective for violations occurring after enactment of ARRA), and Department of Health and Human Services must conduct periodic audits to ensure that covered entities and business associates are in compliance.