The American Recovery and Reinvestment Act (Act) signed into law on February 17 contains several important health initiatives relating to the Health Insurance Portability and Accountability Act (HIPAA) and information technology. A brief summary follows.

Privacy and Security Measures

The Act expands HIPAA's security and privacy rules by imposing a statutory requirement on business associates of covered entities to comply with HIPAA's privacy and security rules, rather than merely a contractual obligation. In addition, each organization that provides data transmission to a covered entity or business associate is required to have a written contract and will be treated as a business associate (including health information exchanges, regional health information organizations, and electronic prescribing and personal health records vendors). The Act also subjects business associates to civil and criminal penalties for violating HIPAA's security and privacy rules and increases penalties for violations. The Act requires the Secretary of Health and Human Services (HHS) to impose penalties for violations due to willful neglect and authorizes rulemaking to allow harmed individuals to receive a percentage of any monetary civil penalty or settlement.

The Act also establishes a process for notification when protected health information (PHI) is breached by requiring covered entities to notify individuals whose "unsecured protected health information" has been or is reasonably believed to have been "breached." Business associates are also required to notify covered entities of such breaches. Breach notifications must be made without unreasonable delay, no later than 60 calendar days after discovery, by first class mail or, if specified as a preference by individuals, email. If contact information is insufficient, substitute methods are permitted including notification via the media and posting on the covered entity's website. Notice to the media and the Secretary of HHS is required if more than 500 individuals' information is breached, in which instance the Secretary will post on the HHS website a list of the covered entities involved in the breach.

Vendors and other providers of personal health records are also required to notify individuals and the Federal Trade Commission of breaches of unsecured PHI. The Secretary of HHS, in consultation with stakeholders, will issue guidance specifying technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorized individuals. Interim final regulations must be promulgated no later than August 15, 2009. Notification requirements apply to breaches that are discovered on or after the date that is 30 days after the date of publication of the interim final rules.

The Act also provides patients with increased rights to privacy and security regarding their health information. It requires covered entities to comply with requests from patients who have paid out-of-pocket expenses in full to not disclose their PHI to health plans for purposes of payment or health care operations unless otherwise required by law. In addition, it gives patients the right to receive accountings of PHI disclosures made by covered entities for treatment, payment and health care operations in the three years prior to a request to covered entities using electronic health records. Effective dates for this provision vary depending on when electronic health records are acquired.

Covered entities are required, to the extent practicable, when sharing PHI with other entities, to make reasonable efforts to restrict the use, disclosure or request of PHI to the minimum necessary to accomplish the intended purpose of such use, disclosure or request subject to certain exceptions (further guidance will be issued at a later date). Sale of an individual's PHI without authorization is prohibited, subject to certain exceptions. In addition, the Act requires providers to obtain patient authorization before PHI can be used for marketing and fundraising activities. Patients may also opt out of fundraising efforts.

The Act also gives patients the right to receive medical information in electronic format without charge if a provider maintains patients' medical records electronically and to direct the covered entity to transmit the records to a designated third party. The fee for an electronic copy may not exceed the covered entity's labor costs.

In addition, the Act gives state attorneys general HIPAA enforcement authority.

Office of the National Coordinator for Health Information Technology (ONCHIT) and Advisory Committees

The Act makes permanent the Office of the National Coordinator for Health Information Technology and creates the position of chief privacy officer. It requires the National Coordinator to update the Federal Health IT Strategic Plan to include specific objectives, milestones and metrics with respect to the electronic exchange and use of health information, the utilization of an electronic health record (EHR) for each person in the United States by 2014 and the incorporation of privacy and security protections for the electronic exchange of an individual's health information. It also requires the National Coordinator to develop a governance mechanism for the nationwide health information network.

Under the Act, the Health Information Technology Policy Committee must recommend a policy framework for the development and adoption of a nationwide health information technology (HIT) infrastructure including recommendations on technologies that protect the privacy and security of electronic health information, EHR technologies that allow for an accounting of disclosures and the utilization of a certified EHR for each person in the United States by 2014. The HIT Standards Committee is to recommend to the National Coordinator standards, implementation specifications and certification criteria for the electronic exchange and use of health information.

The Secretary of HHS is required to adopt standards, implementation specifications and certification criteria for HIT (which is voluntary for private entities). The Act also requires federal agencies and health care providers, plans or insurers contracting with federal agencies to utilize HIT systems and products, where available, that meet these standards. Standards will initially be reviewed by the National Coordinator and recommended by the HIT Standards and Policy Committees. Initial standards must be adopted no later than December 31, 2009.

The Act also establishes a voluntary certification process for HIT products. The National Institute of Standards and Technology will test products to ensure they meet national standards for secure exchanges. After standards are adopted, the National Coordinator must make an electronic health record available for a nominal fee unless the Secretary determines the needs of providers are being met through the marketplace.

Provider Incentives/Medicare and Medicaid

The Act funds incentives for providers to implement HIT and electronic health records. It requires the Secretary to invest in the adoption and use of HIT by health care providers who serve Medicare and Medicaid patients. Beginning in 2011, providers participating in the Medicare program will be eligible for temporary bonus payments if they exhibit to the Secretary that they are meaningfully using a certified HIT system; those who do not do so will not receive full Medicare payments. Hardship exceptions will be available to providers who face significant barriers to adoption, such as limited Internet access.

Funding

The Act authorizes appropriations of US$19 billion (US$2 billion in discretionary funds and US$17 billion through investments and provider incentives through Medicare and Medicaid) for implementation of these measures.