The American Recovery and Reinvestment Act of 2009 (ARRA) has some direct impacts and implications for HIPAA implementation and compliance. Individuals now have more rights regarding disclosure of their protected health information (PHI); the privacy and security provisions of HIPAA for covered entities and business associates are expanded as well. Not surprisingly, the ARRA also provides for increased enforcement and penalties for noncompliance.
So what are the big changes?
– Business Associates are now covered under and subject to HIPAA Privacy and Security Rules. Prior to the ARRA being enacted, only health plans and health care providers (covered entities) were subject to HIPAA. Who is a business associate? “A business associate is any person or entity who performs or helps perform a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. Third-party administrators, utilization reviewers and attorneys who represent covered entities are among the parties who are frequently treated as business associates.” This becomes effective February 17, 2010.
– Individuals must now be notified if there is a security breach of their PHI within 30 days; the local press must be notified if there are more than 500 privacy or security breaches within the same geographic area. Logs must be kept and reported to HHS annually.
– When a complaint is made, the ARRA requires HHS to formally investigate a covered entity or business associate; regular audits for HIPAA privacy and security compliance are now required as well.
– It’s now more expensive than ever to pay for violations. Under ARRA, for violations of an identical requirement during the same calendar year penalties can range, depending on the type of violation, from $100 to $50,000 per violation, with a cap of $25,000 to $1.5 million per year.
For additional information, you can read more at http://www.stradley.com/newsletters.php?action=view&id=439