Guide to HIPAA Changes in the Stimulus Package

It’s old news that President Obama signed into law the American Recovery and Reinvestment Act, popularly known as the Stimulus Package, last month. What hasn’t been in the news are the dramatic changes the law makes to HIPAA (Health Insurance Portability and Accountability Act) security rules. The changes bind business partners to the rules, require notifications for breaches, expand who can claim damages and increase penalties for violations. These are just some of the most important changes to the HIPAA security rules.

Arguably the biggest change is the expansion of who is covered by HIPAA. The law now sets the same security requirements for business associates as covered entities. This includes the administrative, physical, and technical safeguards required by the Security Rule. This will require each business partner to support a security officer, develop written procedures, and train their workforce to protect private health information. In short, they need better data security from creation to shredding. A business associate is also now subject to civil and criminal penalties under HIPAA.

A second major change to the law is the addition of a security breach notification requirement. Covered entities and business partners are now required to notify individuals of security breaches. A security breach occurs when protected health information is exposed through accidental exposure or theft. The notification must be made by mail or electronic mail, according to the preferences of the person. For large security breaches, defined as more than 500 people, a “prominent media outlet” must also be notified. The Department of Health and Human Services (HHS) must also be notified. The law requires a website managed by HHS for public disclosure of violations.

Penalties for security violations have also increased significantly. The violation fine increased from $100 per individual capped at $25,000 to $1,000 per individual capped at $100,000. There may also be a $10,000 fine for willful negligence that is capped at $250,000. Topping the list of fines is $50,000 if problems are not properly corrected with a cap of $1.5 million per calendar year.

The law expands who can sue for HIPAA violations. Now it is possible that the fines go to the people and their lawyers. This dramatically increases the incentives for lawyers to file lawsuits. State attorneys general can also take action against covered entities and business associates on behalf of their residents. This change is significant from the current system, in which only individuals could seek action from HHS. It’s not hard to imagine a race for land as lawyers and state attorneys general rush to file lawsuits against medical offices that violate the Safety Rule.

But there is good news for the medical industry. HHS is now required to provide annual guidance for the most effective and appropriate information safeguards. The guide must specify the technologies and methodologies that must keep private medical information secure. The goal is to reduce confusion about what is and is not acceptable electronic security.

Most of the new rules will go into effect on February 17, 2010. However, some of the provisions have different effective dates that are not clear. Business associates and covered entities should examine each provision carefully to see which one applies.