The American Recovery and Reinvestment Act of 2009 (the "Act") substantially amends the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Act has tightened the rules and regulations that apply to any group or individual that comes into contact with protected health information ("PHI"). In addition, the Act requires business associates to comply with the HIPAA privacy and security rules. These changes, as well as some of the other more significant changes, are briefly described below:
Impact on Business Associates – As mandated by the Act, business associates will now be required to comply with the requirements of the HIPAA privacy and security rules. In addition, a business associate's failure in this regard may now result in the imposition of fines and penalties by the Department of Health & Human Services ("HHS").
Notice of Breach – Covered entities will be required to notify an individual of a breach with regard to the individual's unsecured PHI. Prior to the Act, covered entities were required to mitigate the harmful effect of any breach, but were not required to notify affected individuals. Business associates will be required to notify the covered entity of a breach with regard to unsecured PHI.
HHS Audits – The Act requires HHS to conduct audits of covered entities and business associates to enforce the privacy and security rules, and to formally investigate any complaints. Prior to the Act, audits by HHS were permitted but not required.
Increased Fines & Penalties – The Act has substantially increased monetary fines for noncompliance. For example, the $100 per-violation penalty has been increased to $1,000 per violation, and the related maximum annual penalty has increased from $25,000 to $100,000. Other maximum annual penalties, such as the penalty for improperly corrected violations, have been increased to as high as $1.5 million.
These are just a few highlights of the changes made to the HIPAA privacy and security rules by the Act. While many of the changes will not go into effect until after guidance is issued, some are effective now. As a result, covered entities and business associates may be required to take action, including, but not limited to, modifying or creating privacy and security policies and procedures, amending business associate agreements, re-training employees, and distributing revised HIPAA privacy notices. Employers that sponsor health and welfare plans that are covered entities, and entities that are business associates, should start taking action now to comply with these provisions of the Act.