The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill made quite a few amendments to the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.
The most important and noticeable changes include the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions along with changes in penalties to be imposed in case of breach of HIPAA.
With changes in HIPAA, the penalties can now be imposed on covered entities along with individuals in position to the previous law where penalties could only be imposed on covered entities. As such, if someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Also, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.
Protected health information can be released by covered entities without authorization only for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.
With new laws, patients will have a greater ability to try to find out who has accessed their protected health information. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.
In order to make sure that they are HIPAA compliant, the covered entities should keep an eye on releases from HSS about changes, consult with their legal representative, make sure that their designated privacy officer is properly trained and that he or she is training their employees and keep their lines of communication open with business associates and make sure any contracts they have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.