Drafts of the economic recovery package, known as the American Recovery and Reinvestment Act, contain billions of dollars for promotion and implementation of health information technology (health IT). The $819 billion House package includes more than $20 billion for health IT, such as $2 billion for the Office of the National Coordinator for Health Information Technology (ONC).
In addition to implementing a number of other privacy provisions, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which is included in the stimulus package, would create a federal data breach notification law with respect to protected health information.
Late January 28, the House bill passed by a vote of 244-188, with no Republican votes; 11 Democrats opposed the bill as well. The vote sent the bill to the Senate, where Democrats unveiled their own legislative blueprint on January 23.
On January 27, two Senate committees – Appropriations and Finance – cleared the Senate package, the health IT provisions of which largely mirror those passed by the House; Senate debate on its $885 billion measure began February 2.
The pieces of legislation include a number of privacy-related provisions, including data breach notification requirements for personal health information. Specifically, the legislation would create a federal law requiring notification to occur within 60 days of discovery of a breach specifically related to health information. Individuals must be notified if there has been, or is reasonably believed to have been, an unauthorized use or disclosure of their personal health information.
In the event the breach involves more than 500 residents of a state or jurisdiction, notice must be sent to the Secretary of Health and Human Services, in addition to the local news media serving the affected residents. For breaches involving less than 500 people, the event must be logged and sent by covered entities to the HHS Secretary on an annual basis. The Secretary must make these breaches public, unless a law enforcement official determines that a notification, notice, or posting would impede a criminal investigation or cause damage to national security.
Other privacy provisions include new marketing restrictions, broad accounting for disclosure requirements, and enhanced HIPAA enforcement, such as providing state Attorneys General with authority to bring civil HIPAA enforcement actions.
Democratic leaders aim to have the bills melded into a single piece of legislation and ready for President Obama's signature by mid-February.
Copies of the legislation by Committee are available here: