The economic stimulus package also includes new privacy and security requirements for the handling of medical records. Many of the provisions will become effective in 12 months. Although the focus of the legislation is on electronic records, most of the provisions apply to paper records as well.
The legislation expands the Health Insurance Portability and Accountability Act (HIPAA) to include business associates who work with medical records for doctors, hospitals and other covered entities. Under the legislation, business associates will be subject to criminal and civil penalties. This extension of HIPAA will greatly impact health IT companies.
The legislation also includes a requirement that covered entities and business associates notify individuals in the event of a security breach of their personal health data. Breaches that involve 10 or more patients must be posted on the covered entity or business associate's website. Breaches involving 500 or more patients must be disclosed to prominent media and must be immediately reported to HHS. These breach notification provisions will preempt less stringent state laws, creating a federal “floor” for notification requirements.
The Act also requires HHS to issue guidance within 18 months as to what constitutes the "minimum necessary" amount of data for purposes of HIPAA's requirement that the minimum necessary data may be disclosed for non treatment purposes.
The legislation also includes provisions for the following:
- Prohibiting covered entities and business associates from selling individuals' health records without the individuals' specific consent;
- Extending the HIPAA Privacy Rule to cover companies that offer EHRs to individuals; and
- Providing that patients may block physicians from sending their information to insurance companies if patients pay for their appointments.
The Act increases penalties for HIPAA violations and gives states attorneys general enforcement rights on behalf of citizens. In addition, the Act requires that regional privacy advisers be appointed in HHS's 10 regional offices. The privacy advisers will be responsible for ensuring compliance with the new rules. Finally, a new Health IT Policy Committee and Health IT Standards Committee will become the lead advisory board to the Office of the National Coordinator for Health Information Technology at HHS, replacing the privately run National eHealth Collaborative.