Home |  Contact |  Site Map

 
  Firm Information  |  Attorneys  |  Industries   |  Practices   |  Publications   |  Seminars   |  Recruiting   |  Resource Centers
 

Search HIPAA






Related Services

Health Care
Insurance
Employment
 
   Health & Insurance

Back to Index of HIPAA Changes

HIPAA Changes in H.R. 1
The American Recovery and Reinvestment Act of 2009

Studies, Reports, Guidance
House bill Sec. 4424
Senate bill Sec. 13424
Conference agreement Sec. 13424

This text is from the Conference Committee Report

Current Law

Any person who believes a covered entity is not complying with the privacy rule may file a complaint with HHS. The rule authorizes the Secretary to conduct investigations to determine whether covered entities are in compliance. HIPAA does not require the Secretary to issue a compliance report.

The HIPAA Administrative Simplification standards apply to individual and group health plans that provide or pay for medical care; health care clearinghouses (i.e., entities that facilitate and process the flow of information between health care providers and payers); and health care providers. In addition, the privacy and security standards apply to business associates with whom covered entities share health information. They do not apply directly to other entities that collect and maintain health information, including Health Information Exchanges, RHIOs, and PHR vendors, unless they are acting as providers or plans.

The HIPAA standards are intended to protect individually identifiable health information; de-identified information is not subject to the regulations. Under the privacy rule, health information is de-identified if 18 specific identifiers (e.g., name, social security number, address) have been removed, or if a qualified statistician, using accepted principles, determines that the risk if very small that the individual could be identified.

Generally, plans and providers may use and disclose health information for the purpose of treatment, payment, and other health care operations without the individual's authorization and with few restrictions. Covered entities may, but are not required, to obtain an individual's general consent to use or disclose PHI for treatment, payment, or health care operations.

House Bill

The Secretary would be required annually to submit to specified Congressional Committees and post online a compliance report containing information on (1) the number and nature of complaints of alleged violations and how they were resolved, including the imposition of civil fines, (2) the number of covered entities receiving technical assistance in order to achieve compliance, as well as the types of assistance provided, (3) the number of audits performed and a summary of their findings, and (4) the Secretary's plan for the following year for improving compliance with and enforcement of the HIPAA standards and the provisions of this subtitle.

The House bill would require the Secretary, within one year and in consultation with the Federal Trade Commission (FTC), to study the application of health information privacy and security requirements (including breach notification) to non-HIPAA covered entities and report the findings to specified House (Ways and Means, Energy and Commerce) and Senate (Finance, HELP) Committees. The report should include an examination of PHR vendors and other entities that offer products and services through the websites of PHR vendors and covered entities, provide a determination of which federal agency is best equipped to enforce new requirements for non-HIPAA covered entities, and include a time frame for implementing regulations.

The House bill would require the Secretary, within one year of enactment and in consultation with stakeholders, to issue guidance on how best to implement the HIPAA privacy rule's requirements for de-identifying PHI.

The House bill would require GAO, within one year, to report to the House Ways and Means and Energy and Commerce Committees and the Senate Finance Committee on best practices related to the disclosure of PHI among health care providers for the purpose of treatment. The report must include an examination of practices implemented by states and other entities, such as health information exchanges, and how those practices improve the quality of care, as well as an examination of the use of electronic informed consent for disclosing PHI for treatment, payment, and health care operations.

Senate Bill

The Senate bill includes the same provisions, with the additional requirement that GAO, within one year, report to Congress and the Secretary on the impact of the bill's privacy provisions on health care costs.

Conference Agreement

The conference agreement maintains most all study language and add a study to requires the Secretary to review the definition of ``psychotherapy notes'' with regard to including test data that are part of a mental health evaluation. The Secretary may revise the definition by regulation based on the recommendations of the study. In addition, the conference agreement broadened the study added by the Senate on the impact of the bill's privacy provisions on health care costs. It requires the GAO to study all impact of all the provisions of the HITECH Act on health care costs, adoption of electronic health record by providers, and reductions in medical errors and other quality improvements.

 

 

 
Subscribe to
HIPAA E-Alerts

Sign up to receive HIPAA Privacy & Security E-Alerts
Subscribe to HIPAA E-Alerts

Archived HIPAA E-Alerts
 

Highlights


Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health Care Providers and Health Plans -- A guide for complying with the new 2009 HIPAA requirements in the Recovery Act and updated to include the new breach notification regulations.
 

 

Copyright 2005-2010, Bricker & Eckler LLP, all rights reserved.  Please read our Privacy Notice.
The words Bricker & Eckler and its logo are registered trademarks of Bricker & Eckler LLP. DISCLAIMER