Bricker & Eckler LLP: HIPAA Changes in H.R. 1 -- The American Recovery and Reinvestment Act of 2009

Search HIPAA

Related Services

Health & Insurance

Back to Index of HIPAA Changes

HIPAA Changes in H.R. 1
The American Recovery and Reinvestment Act of 2009

Notification in the Case of Breach
House bill Sec. 4402
Senate bill Sec. 13402
Conference agreement Sec. 13402

This text is from the Conference Committee Report

Current Law

The Privacy and Security Rules promulgated pursuant to HIPAA does not require covered entities, providers, health plans or healthcare clearinghouses, to notify HHS or individuals of a breach of the privacy, security, or integrity of their protected health information.

House Bill

In the event of a breach of unsecured PHI that is discovered by a covered entity, the House bill would require the covered entity to notify each individual whose information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of such breach. Exceptions to the breach notification requirement are for unintentional acquisition, access, use or disclosure of protected health information. For a breach of unsecured PHI under the control of a business associate, the business associate upon discovery of the breach would be required to notify the covered entity. Notice of the breach would have to be provided to the Secretary and prominent media outlets serving a particular area if more than 500 individuals in that area were impacted. If the breach impacted fewer than 500 individuals, the covered entity involved would have to maintain a log of such breaches and annually submit it to the Secretary.

The House bill would define unsecured PHI as information that is not secured through the use of a technology or methodology identified by the Secretary as rendering the information unusable, unreadable, and undecipherable to unauthorized individuals.

The House bill would require the Secretary each year to report to appropriate committees in Congress on the number and type of breaches, actions taken in response, and recommendations made by the National Coordinator on how to reduce the number of breaches. Within 180 days of enactment, the Secretary would be required to issue interim final regulations to implement this section. The provisions in the section would apply to breaches discovered at least 30 days after the regulations were published.

Senate Bill

Same provision, but without any reference to recommended encryption standards in issuing annual guidance on securing PHI.

Conference Agreement

Similar provision to the House bill with one difference; notifications in cases of unintentional disclosures would be required unless such disclosure is to an individual authorized to access health information at the same facility.

Subscribe to
HIPAA E-Alerts

Archived HIPAA E-Alerts

Highlights

Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health Care Providers and Health Plans -- A guide for complying with the new 2009 HIPAA requirements in the Recovery Act and updated to include the new breach notification regulations.