Compliance Scorecard: Stimulus Bill Tightens HIPAA Privacy Requirements

Early this year, the healthcare industry watched closely as the U.S. House and Senate debated and passed the Federal economic stimulus bill, the American Recovery and Reinvestment Act of 2009 (ARRA). The bill, which was signed into law on Feb. 17, allocated nearly $30 billion for the improvement of the U.S. healthcare system, much of that coming in the form of grants and incentives to encourage the development and adoption of healthcare IT for digitized health records.

Clearly, implementing an industry-wide system of electronic health records will require even tighter security and privacy protections than those set forth by the Health Insurance Portability and Accountability Act (HIPAA). That’s why Title XIII of the new law, called the Health Information Technology for Economic and Clinical Health Act or HITECH for short, amends HIPAA and adds new privacy and security stipulations.

Under HIPAA, the business associates of covered entities had to be contractually obligated to protect PHI (protected health information) to HIPAA standards, but these business associates were not directly subject to HIPAA themselves. This meant that if a business associate violated HIPAA privacy and security requirements, they would be liable for breach of contract but not subject to regulatory fines and penalties. HITECH changes this, placing the business associates of covered entities directly under HIPAA privacy and security rules, as well as the related enforcement mechanisms and penalties for non-compliance.

HITECH requires covered entities to notify individuals if their PHI is compromised in a data breach. No federal requirement for data breach notification previously existed in the area of healthcare information. The Department of Health and Human Services (HHS) is still developing final regulations for this requirement, but as of this writing, breaches will all need to be reported to HHS (the deadlines for reporting vary based on size of breach) and large-scale data compromise will be posted on the HHS Web site for the public to view.

Until now, the Department of Health and Human Services was authorized but not required to audit for HIPAA privacy and security compliance. HITECH mandates periodic audits.

HIPAA set down civil monetary penalties for fraud and abuse violations. HITECH requires formal investigation and penalties for “willful neglect” and amends HIPAA to include a tiered penalty structure based on the severity of the violation.

These are the provisions garnering the most attention; other changes are included as well. These new requirements are scheduled to take effect on Feb. 17, 2010 — giving covered entities and their associates one year from the law’s inception to comply.

Marleah Blades is senior editor for the Security Executive Council (SEC). The SEC maintains a large and growing list of laws, regulations, standards and guidelines that impact security ( Help the Council fill out the list and receive a selected complimentary metric slide from our store.