Sweeping changes to the obligations of providers, health plans and their service providers ("business associates") under HIPAA privacy and security rules were included in the American Recovery and Reinvestment Act of 2009. Previously only health plans and providers were covered under HIPAA and subject to the criminal and civil monetary penalties. Effective February 17, 2010, business associates are now directly covered. These new requirements will require amendments to all business associate agreements. Business associates must also draft policies and procedures to implement their obligations under the privacy and security standards. Immediate steps must be taken to prepare for implementation.

Business associates are subject to direct regulation under the HIPAA security and privacy rules and will be subject to the same criminal and enhanced civil monetary penalties previously applicable only to covered entities. This means that business associates not only must draft the appropriate privacy and security policy and procedure documentation but must monitor such policies to demonstrate that the company has made all reasonable efforts to be in compliance.

New requirements for plans, providers and their business associates include notice to individuals of breaches of unsecured protected health information ("PHI") within sixty days of discovery of the breach. "Unsecured" PHI appears to mean PHI that is not encrypted. The Secretary of Health and Human Services will provide further guidance.

In addition, there is a new expanded responsibility for accounting for disclosures of PHI. Covered entities with electronic health records and their business associates will now need to account for all disclosures for treatment, payment or healthcare operations. This requirement will significantly increase the compliance burden for providers, health plans and healthcare clearinghouses as well as their business associates.

In addition, the Act provides for:

  • new rights for individuals to restrict disclosure of their PHI for payment or health care operations when they pay their providers out of pocket and in full for the treatment;
  • prohibitions on the receipt of remuneration in exchange for access to PHI;
  • restrictions on certain marketing communications when remuneration is received;
  • addition of organizations, such as Regional Health Information Organizations, to the definition of business associates; and
  • a new tiered system of civil monetary penalties and enforcement by state Attorneys General for HIPAA violations.

The new HIPAA provisions statutory provisions, generally, become effective February 17, 2010 although the requirements for notification of a breach of unsecured PHI have an earlier effective date. The new civil monetary penalty provisions are immediately applicable to providers, health plans and healthcare clearing houses. The Secretary is directed to promulgate various regulations between now and August 2010 that will amplify on the statutory changes and implementation requirements.