ARRA 2009: Privacy & Security Changes – Part II

The American Recovery and Reinvestment Act (ARRA) of 2009 was a $787 billion economic stimulus package enacted into law on February 17, 2009.  The ARRA amended and created some new privacy regulations for health care organizations. It also included provisions for greater enforcement of the HIPAA and significant penalties for privacy and security violations. This article explores new and updated enforcement requirements.

Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

  1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
  2. Increased enforcement of HIPAA
  3. Provisions to address health information held by entities not covered by HIPAA
  4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA enforcement policy and procedure.

Direct Accountability

The ARRA amends original legislation and holds business associates accountable by federal and state authorities for failure to comply with any applicable provisions of the HIPAA Privacy and Security Rules. The original Act states that government authorities are unable to hold business associates accountable for failing to comply with their agreements; only covered entities can be held liable for the actions of their business associates in limited circumstances.

Criminal Penalties

ARRA provides important clarification that HIPAA’s criminal penalties can be enforced against individuals. This includes, but is not limited to, employees of a covered entity. This provision essentially overrules a Department of Justice memo issued during the Bush Administration that declared only covered entities could be criminally prosecuted for violations of HIPAA.

ARRA also clarifies that Health and Human Services (HHS) and state attorneys general can pursue a civil HIPAA violation in cases where criminal penalties could be imposed, but the Department of Justice declines to pursue the case. The Secretary is required to formally investigate any complaint where a preliminary investigation of the facts indicates a possible violation due to willful neglect. The Secretary must also impose a civil monetary penalty if a violation is found to constitute willful neglect of the law. The Government Accountability Office (GAO) will need to develop a methodology for individuals affected by HIPAA violations to receive a percentage of any penalty or monetary settlement collected.

There is also a new tiered penalty structure, based on the level of the HIPAA violation, which is capped at $50,000 per violation and an annual maximum of $1.5 million.

Enforcement by State Attorneys General & Secretary Auditing

There are a number of states that authorize their attorneys general to enforce federal consumer protection laws, which include HIPAA. ARRA expressly authorizes all state attorneys general to enforce HIPAA in federal district court. This means that attorneys general in all states are able to enforce the law, even if no state authorizing statue exists. Penalties imposed in such situations are limited to former statutory minimum set by the HIPAA: $100 per violation and $25,000 annually for repeat violations of the same provision.

The Secretary has the right to intervene in the application of this provision where necessary. The ARRA also requires the Secretary to perform periodic audits to ensure compliance with the new provisions.


This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA enforcement.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>