Bricker & Eckler LLP: HIPAA Changes in H.R. 1 -- The American Recovery and Reinvestment Act of 2009

Search HIPAA

Related Services

Health & Insurance

Back to Index of HIPAA Changes

HIPAA Changes in H.R. 1
The American Recovery and Reinvestment Act of 2009

Application of Privacy Provisions and Penalties to Business Associates of Covered Entities
House bill Sec. 4404
Senate bill Sec. 13404
Conference agreement Sec. 13404

This text is from the Conference Committee Report

Current Law

The Privacy Rule promulgated pursuant to HIPAA permits a covered entity to disclose health information to a business associate or to allow a business associate to create or receive health information on its behalf, provided the covered entity receives satisfactory assurance in the form of a written contract that the business associate will appropriately safeguard the information.

Violations cannot be enforced directly against business associates. Although covered entities are not liable for, or required to monitor, the actions of their business associates, if it finds out about a material breach or violation of the contract by a business associate, it must take reasonable steps to remedy the situation, and, if unsuccessful, terminate the contract. If termination is not feasible, the covered entity must notify HHS.

House Bill

The House bill would apply the HIPAA Privacy Rule, the additional privacy requirements, and the civil and criminal penalties for violating those standards to business associates in the same manner as they apply to the providers and health plans for whom they are working.

Senate Bill

Same provision.

Conference Agreement

Same provision.

Subscribe to
HIPAA E-Alerts

Archived HIPAA E-Alerts

Highlights

Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health Care Providers and Health Plans -- A guide for complying with the new 2009 HIPAA requirements in the Recovery Act and updated to include the new breach notification regulations.