Stronger Protections for Health Information are Part of the Fiscal Stimulus
By Behnam Dayanim, Eric Keller and Kelly DeMarchis
A key part of the fiscal stimulus package (the Act), signed by President Obama into law on February 17, 2009, included sweeping changes to the health information privacy and security provisions promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Many of these new protections will take effect February 17, 2010 (one year after enactment of the Act); however, some have their effective dates delayed until the Department of Health and Human Services (HHS) provides specific guidance. The Act calls for guidance in several areas, so increased rulemaking activity should be expected from HHS in the coming months.
Among other things, the Act imposes many of its security standards directly on business associates, enacts new notification requirements for a breach of unsecured protected health information (PHI), expands disclosure obligations for covered entities and rights for individuals who are the subject of the PHI, and increases penalties and grants enforcement authority beyond HHS to include states attorneys general.