Bricker & Eckler LLP: HIPAA Changes in H.R. 1 -- The American Recovery and Reinvestment Act of 2009

Search HIPAA

Related Services

Health & Insurance

Back to Index of HIPAA Changes

HIPAA Changes in H.R. 1
The American Recovery and Reinvestment Act of 2009

Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities
House bill Sec. 4407
Senate bill Sec. 13407
Conference agreement Sec. 13407

This text is from the Conference Committee Report

Current Law

There is no Federal law that requires entities to notify individual when their health information has been breached.

House Bill

The House bill would require personal health record (PHR) vendors and entities offering products and services through a PHR vendor's website, upon discovery of a breach of security of unsecured PHR health information, to notify the individuals impacted and the FTC. Further, third party service providers that provide services to PHR vendors and to other entities offering products and services through a PHR vendor's website and, as a result, that handle unsecured PHR health information would, following the discovery of a breach of security of such information, be required to notify the vendor or other entity. The requirements in Section 4402 for the content and timeliness of notifications also would apply to this section. Unsecured PHR health information means PHR health information that is not protected through the use of a technology or methodology specified by the Secretary in guidance issued pursuant to Section 4402.

The FTC would be required to notify HHS of any breach notices it received and would given enforcement authority regarding such breaches of unsecured PHR health information. Within 180 days, the Secretary would be required to issue interim final regulations to implement this section. The provisions in the section would apply to breaches discovered no sooner than 30 days after the regulations are published. The provisions in this section would no longer apply to breaches occurring after HHS or FTC had adopted new privacy and security standards for non-HIPAA covered entities, including requirements relating to breach notification.

Senate Bill

The Senate bill includes the same provisions.

Conference Agreement

The conference agreement is the same as the House and Senate language with minor clarifications. The conference agreement requires the FTC issue regulations as opposed to the Secretary of HHS. The conference agreement applies the breach notification provision to entities that access and receive health information to and from a personal health record.

Subscribe to
HIPAA E-Alerts

Archived HIPAA E-Alerts

Highlights

Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health Care Providers and Health Plans -- A guide for complying with the new 2009 HIPAA requirements in the Recovery Act and updated to include the new breach notification regulations.