The American Recovery And Reinvestment Act Of 2009: Health Information Privacy And Security Provisions - Here We Go Again


On February 17, 2009, President Obama signed into law The

American Recovery and Reinvestment Act of 2009 (the "Stimulus

Act" or the "Act"), which will address the

nation's economic uncertainties through various tax breaks and

infrastructure investment projects. The Act includes almost $20

billion for the development of a nationwide health information

technology ("HIT") infrastructure intended to, among

other things, advance the adoption of electronic medical records,

improve health care quality, reduce medical errors and improve care


The Stimulus Act also includes numerous provisions which modify

and expand the privacy and security provisions of the Health

Insurance Portability and Accountability Act of 1996

("HIPAA"), including requiring HIPAA-covered entities,

business associates and other previously unregulated entities to

modify their health information privacy and security policies,

procedures and practices.

Health Information Technology for Economic and Clinical Health


Title XIII of the Stimulus Act, also known as the "Health

Information Technology for Economic and Clinical Health Act"

or the "HITECH Act", addresses the promotion of HIT.

Subtitle D of the HITECH Act expands the HIPAA Privacy Rule and

Security Rule and includes other provisions which will require

attention by health care organizations and other entities not

previously impacted by HIPAA.

Highlights of the HITECH Act

Significant changes to be implemented by the Act include the


Direct application of key Security Rule and Privacy Rule

obligations to business associates and an expanded definition of

persons and entities considered to be business associates

Requiring covered entities and personal health record

("PHR") vendors to notify affected individuals and

federal regulatory entities of security breaches involving an

individual's "unsecured" protected health information

("PHI") or PHR identifiable health information,


Modifying and expanding the scope of the Privacy Rule (e.g.,

narrowing the scope of permitted marketing activities without

individual authorization, modifying the minimum necessary rule,

requiring a covered entity to agree to disclosure restriction

requests, reviewing the definition of health care operation

activities, expanding the scope of accounting disclosure


Restricting the sale of PHI by covered entities without

individual authorization

Expanding the scope of penalties for unlawfully using and

disclosing PHI, and the scope of individuals permitted to file

claims for HIPAA violations to include state attorneys general, and

also requiring the Secretary of Health and Human Services (the

"Secretary") to establish a methodology for sharing a

percentage of HIPAA civil monetary penalties and settlement amounts

with aggrieved individuals

Requiring the Secretary to conduct mandatory audits of covered

entities and business associates

Direct Application of HIPAA Security Rule and Privacy Rule

Provisions to Business Associates

Under current law, business associates are not directly

regulated by HIPAA or its implementing regulations. Lacking

statutory authority to directly regulate any person other than

"covered entities" (i.e., health care providers that

engage in a standard transaction, health plans and health

clearinghouses), the Secretary addressed the disclosure of PHI to

third-party vendors of covered entities by requiring the covered

entities to enter into HIPAA-compliant business associate contracts

with such persons and organizations. Thus, a business

associate's HIPAA obligations are by contract and not by

statute or law.

The Stimulus Act significantly changes that approach. HIPAA

business associates will now be subject directly to many of the

same Security Rule requirements as covered entities, meaning that

business associates will need to implement the administrative,

physical and technical safeguards required by 45 CFR Part 164,

Subpart C. Business associates will also need to implement the

requisite Security Rule policies and procedures required of covered


Business associates will also be bound by the Privacy Rule and

will be subject to the same civil monetary penalties and criminal

penalties that are applicable to covered entities for Privacy Rule

and Security Rule violations.

Effective as of February 17, 2009, the Act states specifically

that organizations such as health information exchange

organizations and regional health information exchange

organizations that provide data transmission of PHI on behalf of a

covered entity and that routinely require access to such

information are business associates of the participating covered

entities. Many such organizations had argued that they were mere

conduits of PHI and, therefore, were not business associates of any

covered entity participants or members.

Action Item: This is a significant expansion to the scope

of the Privacy Rule and Security Rule. Like covered entities,

business associates will need to implement a health information

security program that comports with the standards set forth in the

Security Rule. This will include a required risk analysis. Covered

entities will also need to ensure the implementation of these

obligations by their business associates, presumably through

appropriate representations and warranties, which may necessitate

the execution of business associate contract amendments or amended

and restated business associate agreements. Further, covered

entities that did not previously execute business associate

contracts with health information exchange organizations in which

they participate will need to execute such agreements.

Notification of Data Security Breach Required for Covered

Entities, PHR Vendors and Other Non-Covered Entities

The current version of the Security Rule does not require

covered entities to notify their patients, insureds or customers in

the event of a security breach involving PHI. (Many states would,

however, require such a notification depending upon the information

involved.) Per the Stimulus Act, no later than 60 days after

discovery of a breach or a suspected breach, covered entities would

be required to notify individuals whose "unsecured" PHI

has been or is reasonably believed by the covered entity to have

been accessed, acquired or disclosed. There is no materiality

standard regarding the type or scope of PHI involved.

"Unsecured PHI" is defined as PHI that is not secured

through the use of a technology or methodology to be defined by the

Secretary. Guidance from the Secretary on the matter is required

within 60 days of enactment of the Stimulus Act. Until such time,

PHI will be deemed secured if it is encrypted by a technology or

methodology developed or endorsed by an ANSI accredited


Business associates would also be required to notify covered

entities of a security breach. Written notice of a data security

breach to affected individuals would be required in all cases. The

Secretary would also need to be notified of all security breaches

(immediately in the case of a security breach involving 500 or more

persons or annually via a log-book submission if less than 500

persons were involved). In cases involving 500 or more persons in a

given state or media jurisdiction, notice to the media would also

be required.

The required content of the notice is similar to that currently

employed by many financial entities and organization alerting

customers to a possible security breach or identity theft event

(e.g., description of the event, types of unsecured PHI involved,

steps that the person should take to mitigate potential harm,

description of what actions the covered entity is taking to

investigate, mitigate losses and protect against further


The Act also includes virtually identical data security breach

notification requirements for vendors of PHRs. Because PHR vendors

may not be HIPAA-covered entities, instead of notifying the

Secretary of a breach of...

To continue reading