Archives

ARRA 2009: Privacy & Security Changes – Part III

The American Recovery and Reinvestment Act (ARRA) of 2009 was a $787 billion economic stimulus package enacted into law on February 17, 2009.  The ARRA amended and created some new privacy regulations for health care organizations. It also included provisions for greater enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and significant penalties for privacy and security violations. This article explores the provisions for entities not covered by the HIPAA, and other changes made by the ARRA.

Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

  1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
  2. Increased enforcement of HIPAA
  3. Provisions to address health information held by entities not covered by HIPAA
  4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series.

Breach Notification

As discussed in an earlier article, the ARRA establishes new breach notification requirements. These requirements are extended to vendors of personal health records and other non-HIPAA covered entities. This means that breach notification requirements now apply to the following entities:

  • Those that offer products or services through the website of a vendor of personal health records.
  • Those that are not themselves HIPAA-covered entities, but that offer products or services through websites of covered entities with personal health records.
  • Those that are not themselves HIPAA-covered, but access information, or sent information to a personal health record.

HHS & FTC Study

The ARRA also commissions the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), to conduct a study and produce a report to Congress on privacy and security requirements for non-covered entities or business associates under the HIPAA. This study needs to include:

  • Requirements relating to breach notifications that will be subject to the FTC’s new breach notification authority.
  • Which federal government agency is best able to enforce recommended privacy and security protections.
  • A workable timeframe for implementing regulations based on these findings.

Administration Changes

ARRA established the Office of the National Coordinator (ONC) for Health IT (HIT). It also created a new advisory committee infrastructure with a new HIT Policy Committee and a new HIT Standards Committee, both of which are governed by the Federal Advisory Committee Act (FACA).

The HIT Policy Committee is required to make recommendations regarding technologies that protect privacy and promote security in an electronic health record. This includes those that allow for the segregation of sensitive health information and the use of limited data sets.

ARRA also creates a position of Chief Privacy Officer (CPO) within the ONC framework. This individual is responsible for advising the National Coordinator on privacy, security and data stewardship of electronic health information. However, the CPO is not responsible for HIPAA oversight.

Studies, Reports & Educational Initiatives

The ARRA commissions a number of studies and reports from the Government Accountability Office (GAO), HHS and FTC. The ARRA also directs the HHS to develop and maintain a thorough national education initiative with the objective of enhancing public transparency regarding the uses of protected health information.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which resulted in some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the provisions for entities that are not currently covered by HIPAA, as well as other miscellaneous changes made by the ARRA.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>