Related Links

Health care provider organizations that comply with existing HIPAA privacy and security regulations shouldn’t be too concerned about the updates in the rules called for under the economic stimulus package, one attorney advises. That’s because the American Recovery and Reinvestment Act does not call for “wholesale changes” in the HIPAA rules, says Kirk Nahra, a partner at Wiley Rein LLP, Washington.

But ARRA sets tougher penalties, ranging from $25,000 to $1.5 million, for violating a patient’s privacy, he notes. It also will lead to dramatically stepped-up enforcement of privacy and security regulations, he predicts.

Also, state attorneys general now have explicit authority to enforce the HIPAA rules. And under ARRA, individual employees at a health care organization can face criminal charges for violations, Nahra notes.

Nahra made his comments August 17 at the 2009 Legal EHR Conference in Chicago. The American Health Information Management Association sponsored the event.

One significant change as a result of ARRA, the attorney says, is that “business associates” of health care organizations, including software vendors, must notify consumers of security breaches. This requirement, coupled with stepped-up enforcement, will have a “major impact” on vendors, Nahra predicts. And providers will have to revise their vendor contracts to reflect these breach notification provisions, he adds. Further, business associates are more explicitly required to comply with the privacy and security rules under ARRA.

The Federal Trade Commission on August 17 released a final rule governing notification of breaches of information from personal health records (see healthdatamanagement.com/news/PHR-38824-1.html). The Department of Health and Human Services is writing another breach notification rule that will cover a range of health information.

 --Howard Anderson