ARRA: Implementation Challenges

In previous articles, we discussed some of the new requirements and restrictions imposed on healthcare providers and health care organizations by the American Recovery and Reinvestment Act (ARRA) of 2009. This Act amended and created some new privacy regulations, stricter enforcement requirements and set some investigations in motion. In this article, we’ll take a look at some of the challenges that have come up in the implementation of the ARRA.

The ARRA privacy provisions that created the most worry amongst health care organizations nationwide are as follows:

  1. Breach notification
  2. Accounting for disclosure
  3. Out-of-pocket payments
  4. Electronic copies of electronic health records

These challenges will be explored in further detail in this article.

Breach Notification Woes

The data breach notification regulations were the first of the ARRA privacy changes to take effect. According to the Act, the Department of Health and Human Services (HHS) is responsible for oversight of organizations that qualify as covered entities and business associates under Health Insurance Portability and Accountability Act (HIPAA). The Federal Trade Commission has oversight of all other parties (e.g. vendors of personal health records).

One of the largest challenges of this was to sort out whether state or federal law is more stringent and under which circumstances. Healthcare providers and other entities covered by the ARRA are required to go with the most stringent legislation.

One strategy is for healthcare organizations to prepare privacy and security policies that cover all laws. It’s rather difficult as privacy and data breach laws can vary greatly from one state to another. Healthcare entities in each state are required to determine how the federal ARRA differs from their individual state laws.

Accounting for Disclosure

ARRA’s accounting for disclosures provision requires healthcare entities using electronic health records to provide an accounting or audit trail of all record disclosures. However, the exact content of these disclosures were not described in the new Act, instead they were left for the HHS to determine. Healthcare providers are worried that it is technically impossible to track every access to every patient record. This could be an extremely time-consuming endeavor, sapping providers of resources that could be directed towards treating patients.

Cassi Birnbaum, director of health information and privacy officer at Rady Children’s Hospital of San Diego comments, “It is very, very tough [technologically]… We can require that everyone does a quick disclosure whenever they are handing information out to somebody outside of the organization. But when you are disclosing information to another clinician, that would be so disruptive to patient care.”

Observers point out that while the ARRA legislation might have underestimated the diversity in today’s electronic health records systems, the legislators did acknowledge that the majority of existing systems are unable to meet the accounting for disclosure requirements. This is why organizations using such systems purchased before January 1, 2009 are given until January 2014 to comply.

Out-of-Pocket Costs

The ARRA allows patients to prevent disclosure of their health data to their health insurance plans if they had paid for the treatment out-of-pocket. In order to comply with this request, healthcare providers need to separate out records generated from treatment. This is a technically difficult task and raises administrative issues. This provision stems from concerns that insurance providers could use certain medical information to modify their coverage of clients.

Electronic Copies of Records

Technological limitations also create problems for an ARRA provision requiring providers to give patients electronic copies of their electronic health records upon request. Like many other regulations, state law varies, and most states default to HIPAA regulations. Providers and other entities searching for new electronic health records systems are required to discuss this provision with vendors to ensure that they will be able to meet compliance requirements. This creates new opportunities for vendors and third-party developers to create add-ons to their products to electronically reproduce records conveniently.

According to Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology in Washington DC, the ARRA privacy provisions represent a “major change in privacy law… [It is the] biggest [change] since HIPAA was enacted and there hasn’t yet been a lot of guidance coming out of the regulators about how to comply with both [state and federal] law and what the rules really mean. So this creates a lot of uncertainty in the marketplace.”


This article takes a look at some of the difficulties involved in implementing the privacy and security requirements introduced by the American Recovery and Reinvestment Act (ARRA) of 2009. The ARRA privacy provisions that created the most worry amongst health care organizations nationwide are: 1) Breach notification; 2) Accounting for disclosure; 3) Out-of-pocket payments; and 4) Electronic copies of electronic health records. This article explores each of these challenges.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>