Bricker & Eckler LLP: HIPAA Changes in H.R. 1 -- The American Recovery and Reinvestment Act of 2009

Search HIPAA

Related Services

Health & Insurance

Back to Index of HIPAA Changes

HIPAA Changes in H.R. 1
The American Recovery and Reinvestment Act of 2009

Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions
House bill Sec. 4401
Senate bill Sec. 13401
Conference agreement Sec. 13401

This text is from the Conference Committee Report

Current Law

The Security Rule promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA) include three sets of safeguards: administrative, physical, and technical, required of covered entities (providers, health plans and healthcare clearinghouses). Administrative safeguards include such functions as assigning or delegating security responsibilities to employees, as well as security training requirements. Physical safeguards are intended to protect electronic systems and data from threats, environmental hazards, and unauthorized access. Technical safeguards are primarily IT functions used to protect and control access to data.

HIPAA permits business associates (those who perform business functions for covered entities) to create, receive, maintain or transmit electronic health information on behalf of that covered entity, provided the covered entity receives satisfactory assurance in the form of a written contract that the business associate will implement administrative, technical, and physical safeguards that reasonably and appropriately protect the information.

Violations cannot be enforced directly against business associates. Although providers and health plans are not liable for, or required to monitor, the actions of their business associates, if it finds out about a material breach or violation of the contract by a business associate, it must take reasonable steps to remedy the situation, and, if unsuccessful, terminate the contract. If termination is not feasible, the covered entity must notify HHS.

House Bill

The House bill would apply the HIPAA security standards and the civil and criminal penalties for violating those standards to business associates in the same manner as they apply to the providers and health plans for whom they are working. It also would require the Secretary, in consultation with stakeholders, to issue annual guidance on the most effective and appropriate technical safeguards, including the technologies that render information unusable, unreadable, or indecipherable recommended by the HIT Policy Committee, for protecting electronic health information.

Senate Bill

Same provision, but without any reference to recommended safeguard technologies standards.

Conference Agreement

The conference agreement includes language contained in the House bill.

Subscribe to
HIPAA E-Alerts

Archived HIPAA E-Alerts

Highlights

Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health Care Providers and Health Plans -- A guide for complying with the new 2009 HIPAA requirements in the Recovery Act and updated to include the new breach notification regulations.