ARRA 2009: Privacy & Security Changes – Part I

The American Recovery and Reinvestment Act (ARRA) of 2009 was an economic stimulus package enacted into law on February 17, 2009.  For our purposes here, the ARRA amended and created some new privacy regulations for health care organizations.

According to the commentary in President Obama’s Budget for Fiscal Year 2010:

“These incentives, coupled with other activities authorized in… [ARRA], are expected to result in a dramatic increase in the percentage of health care providers using health IT within five years. Computerized health records – while protecting the privacy and security of personal health information – is expected to facilitate improvements in the quality of health care, prevention of unnecessary health care spending, and a reduction in medical errors.”

Provisions on privacy and security were found in ARRA’s Title XIII, Subtitle D and certain parts of Subtitle A. The ARRA provisions were generally effective as of February 17, 2010, but a more specific implementation timeline is available here.

Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

  1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
  2. Increased enforcement of HIPAA
  3. Provisions to address health information held by entities not covered by HIPAA
  4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA statutory requirements.

Business Associates & Compliance

Prior to the enactment of the ARRA, HIPAA required that covered entities (e.g. hospitals, physicians and health plans) enter into contracts (called “business associate agreements”) with entities performing functions or providing services on their behalf, where those functions/services involved the exchange of health information. The business associate agreements required the business associates to use appropriate security safeguards to protect health information they received and were responsible for. It is important to note that before the enactment of the ARRA, business associates were not directly subject to governmental enforcement action; covered entities would have to sue them for breach of contract.

The ARRA requires business associates to comply directly with most of the provisions of the HIPAA Security Rule. Business associates must also comply with Privacy Rule provisions that are made applicable to them by their contract with the covered entity. This means that they must comply with any changes to the Privacy Rule that are part of ARRA, whether or not those provisions are included in their contracts with the covered entities.

Data Breaches

Originally, the HIPAA did not require covered entities to notify affected individuals in the case of breaches of their protected health information. Now, the ARRA requires that individuals be notified if their unsecured health information has been breached. In the case of outsourcing, business associates should notify the covered entities of any breaches and the covered entities should then notify the individuals concerned.

Restricting Disclosures

ARRA imposes a requirement on covered entities (and their business associates) to honor an individuals’ request to restrict disclosure of protected health information to a health plan for purposes of payment or health care operations if the information pertains solely to a health care item or service that the individual has paid for in full or out-of-pocket.

“Minimum necessary” Amounts

The Privacy rule outlines that only the minimum necessary amount of protected health information should be accessed, used or disclosed (except in cases of treatment and other specific circumstances). The rule also outlines that a limited data set should be used. This data set should be stripped of a number of categories of patient-identifying information and can be used pursuant to a data use agreement for research, public health and health care operations purposes. The ARRA requires the Secretary to establish guidance on what “minimum necessary” means.

Disclosures of Personal Health Information

The Privacy Rule initially stated that covered entities needed to provide – upon request – an accounting of disclosures of protected health information made from the individual’s medical record for the previous six years. However, a number of disclosures are exempted from this requirement, including disclosures for treatment, payment, and health care operations. The ARRA states that covered entities using electronic health care records may no longer exempt such disclosures. However, the accounting only needs to cover the previous three years, rather than six.

No “Sale” of Protected Health Information

ARRA prohibits direct or indirect remuneration in exchange for an individual`s protected health information without the individual’s authorization. This authorization must also specify whether the information can be further exchanged for remuneration by the original entity that receives the data. There are of course, exceptions to this provision.

Right of Access

The HIPAA Privacy Rule always protected individuals’ right to access and obtain a copy of their health records, normally within thirty days of their request. The ARRA requires covered entities using electronic health records to provide individuals with an electronic copy of the record. The record must directly be transmitted to an entity or person specified by the individual. Fees should be kept to a minimum reasonable amount in relation to the labor costs.

Marketing Communications

ARRA imposes more stringent restrictions and regulations on authorization for marketing purposes. If a covered entity is paid by an outside entity to send a communication to a patient, the communication is considered “marketing.” This means that it will require prior authorization from the patient.

There are some exceptions to this regulation. For instance, protected health information is permitted to be used without authorization if it is for communications that describe a drug or biologic that is currently being prescribed/administered to the individual, as long as the payment received by the covered entity is reasonable in amount. Communications that have patients’ authorization may also be sponsored by outside entities.

Opting Out of Fundraising

Previously, covered entities were able to use an individual’s demographic information as well as the dates during which they received health care to send fundraising communications without pre-authorization from the individual. The ARRA now requires the Secretary to create a rule requiring that individuals be able to opt-out of receiving such communications in a clear and conspicuous way.


This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA statutory requirements around privacy and security.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>