The U.S. Congress passed the American Recovery and Reinvestment Act of 2009. President Obama signed the bill into law on February 17, 2009. The act's main purpose was to spur the creation of jobs in the faltering economy. Specifically it includes supplemental appropriations for job preservation and creation, infrastructure investment, energy efficiency and science, assistance to the unemployed, and state and local fiscal stabilization.
The law includes Title XIII, a section dealing with new appropriations and requirements for health information technology. This section also contains modifications to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Changes include new requirements for covered entities to notify individuals of security breaches and to comply with privacy disclosure requests from individuals. Business associates have increased duties under the new law, and new enforcement approaches were added. Most provisions were effective on February 17, 2010, although enforcement of certain provisions was delayed.
HIPAA Webcast
Webcast download—Are Your HIPAA Security Measures Keeping You Up at Night?
Originally recorded on
Thursday, November 18, 2010
So far, 2010 has brought us expanded obligations, increased penalties and more aggressive enforcement under HIPAA's Security Rules. Plans must carefully consider these new obligations and enhanced risks when ensuring that they maintain ongoing HIPAA compliance.
Government Resources
Conference Report-- HIPAA provisions are found in the Health Information Technology section starting on page 473 (page 477 of the PDF)
HR 1
The Health Information Technology for Economic and Clinical Health (HITECH) Act, Congressional Research Service (CRS)
Guidance and Request for Information, Dept. of Health & Human Services (HHS), April 27, 2009
Breach Notification for Unsecured Protected Health Information, interim final rule with request for comments, HHS, August 24, 2009
Health Breach Notification Rule, final rule, Federal Trade Commission, August 25, 2009
HIPAA Administrative Simplification: Enforcement, interim final rule with request for comments, HHS, October 30, 2009
Instructions for Submitting Notice of a Breach to the Secretary, (forms included), HHS Office for Civil Rights
HITECH Act Rulemaking and Implementation Update, HHS, March 15, 2010
HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act, request for Information, HHS, May 3, 2010
Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, proposed rule, July 14, 2010
Breach Notification Final Rule Update, HHS, July 28, 2010
Additional Resources
Business Associates Beware: First HIPAA Enforcement Action Against a Business Associate (And the Plot Thickens with Transparency Demands), Davis Wright Tremaine LLP, 2/6/12 (New)
HHS Issues HITECH/HIPAA Privacy, Security and Enforcement Guidance, McDermott, Will & Emery, September 7, 2010
Important Changes to HIPAA Proposed by HHS: A Summary of Proposed Changes to HIPAA Privacy, Security and Enforcement Rules, Poyner Spruill, September 2010
OCR Issues Proposed Modifications to HIPAA Privacy and Security Rules to Implement HITECH Act, McDermott, Will & Emery, July 27, 2010
DHHS Proposed Rule Implements the HITECH Act and Amends HIPAA Rules, Dechert, July 2010
What Do Employers with HIPAA-Covered Health Plans Really Need to Know About Recently Proposed Revisions to HIPAA Regulations? Littler, July 2010
HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors, Alston & Bird, July 16, 2010
Federal Government Announces Delay in Enforcement of Certain HITECH Changes to HIPAA Privacy and Security Rules, Sibson Consulting, March 22, 2010
HHS Issues Interim Final Rule Implementing Civil Penalty Provisions of HITECH Act, Mintz Levin, November 4, 2009
New HIPAA Requirements, McGraw Wentworth, October 2009
HHS Posts Reporting Form for HIPAA Breaches, Sibson Consulting, October 9, 2009
HITECH Breach Notification Guidance and Employer Next Steps, Aon Consulting, October 2, 2009
HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information, Proskauer Rose LLP, September 23, 2009
Final Regulations on HITECH Security Breach Notification for HIPAA Protected Health Information, Sibson Consulting, September 2009
HHS Issues Rules Relating to Breach Notification and Related Items under the HITECH Act, Mintz Levin, August 26, 2009
HHS Issues Security Breach Notification Rules, Groom Law Group, August 24, 2009
New HIPAA Breach Notification Regulations Require Immediate Attention, Michael Best & Friedrich, August 21, 2009
HHS Issues Interim Final Rule Governing Security Breach Notification, Foley & Lardner, August 21, 2009
READY, SET, COMPLY! -- New HIPAA Security Breach Notification Rules Require Prompt Action by Covered Entities, Trucker Huss, August 2009
HIPAA Security Breach Notification Rule Refines Key Terms, Faegre & Benson, August 20, 2009
Stimulus Law Includes Major Changes to HIPAA Privacy and Security Rules, Sibson Consulting, March 2009
Changes to HIPAA Usher in New Era of Electronic Health Data, Thompson Hine LLP, March 16, 2009
Stronger Protections for Health Information are Part of the Fiscal Stimulus, Paul Hastings LLP, March 2009
Economic Stimulus Package Ratchets Up Privacy and Security for Health Information, Davis Wright Tremaine, February 18, 2009
The Stimulus Bill’s Effect on the Health Care Industry, Winston & Strawn, February 2009
HITECH Act of Stimulus Bill Imposes More Stringent HIPAA Privacy & Security Requirements, Appropriates Funds for Health Information Technology, Groom Law Group, February 17, 2009
Stimulus Bill Dramatically Modifies HIPAA Rules – Business Associates and Covered Entities Must Address New Requirements, Michael Best & Friedrich, February 17, 2009