Recovery Act Extends HIPAA Reach, Adds Data Breach Notification Rules


Tuesday, Compliance Week published a story highlighting several of the compliance changes that are coming -- or have already arrived -- as a result of the American Recovery and Reinvestment Act of 2009. In addition to the restrictions placed on companies receiving bailout money, some of of the most significant changes concern compliance with the Health Insurance Portability and Accountability Act (HIPAA).


According to Mondaq, Title XIII of the Recovery Act, known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, commits $22 billion to "advance the use of health information technology" and broadens HIPAA privacy and security requirements. As writers Deborah S. Birnbach, Louise N. Howe and Jacqueline Klosek, from the law firm of Goodwin Procter, point out, the biggest change concerns those businesses that provide support and services to HIPAA covered entities:

Most notably, the legislation makes business associates, and not just the covered entities to which they provide services, directly subject to HIPAA's privacy and security requirements as well as the penalties for violating those requirements...Under the changes ushered in by the HITECH Act, business associates will now be subject to the same government civil and criminal penalties as covered entities....Business associates must also now comply with the HIPAA regulation requiring the implementation of formal policies and procedures as well as documentation requirements.

Prior to the new legislation, "business associates" that failed to properly protect the patient information at issue were liable to the covered entities via their service contracts, but they did not face governmental penalties.


The HITECH Act also adds data breach notification requirements. Though several states have such requirements, few have applied them to health information so far. And this is the first data breach notification requirement to come from the federal government, the writers say. HIPAA covered entities will have to notify patients and/or customers when their protected health information has been compromised. Business associates that experience breaches will have to notify the covered entities with wihich they have contracts.


Jeffrey D. Neuburger and Sara Krauss explain the requirements in the Privacy Law Blog, which is maintained by their law firm, Proskauer Rose. Beginning no later than Sept. 16, 2009, they say, HIPAA-covered entities will be required to notify individuals when protected health information that is "unsecured" has been compromised. Notice must be given to the individuals whose data is affected "without unreasonable delay," and no later than 60 days after the breach. If the breach involves 500 people or more, the covered entity will be required to notify the U.S. Department of Health and Human Services and major media outlets.