Business Counsel Services

It’s Not Just About the Money: How the New Stimulus Bill Expands HIPAA Privacy and Security Requirements



The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) developed four major health information standards: (1) Transaction and code standards; (2) Privacy standards; (3) Security
standards; and (4) National identifier standards. The privacy and security standards were developed to increase and/or protect the confidentiality and availability of a patient’s medical information.
HIPAA privacy and security rules set certain compliance standards for healthcare professionals.

2. Stimulus Bill

On February 17, 2009, House Resolution 1 became Public Law No. 111-005. Titled the “American Recovery and Reinvestment Act of 2009 (“Act”),” most will recognize it as the “Stimulus Bill” or “Stimulus Package.” While the primary purpose behind the Act was to stabilize the struggling economy by creating jobs and assisting those affected by the recession, other significant provisions were included that amended existing laws and regulations such as the HIPAA privacy and security rules. Unless otherwise specified, the requirements discussed below will take effect twelve months from the enactment of the Act.

HIPAA Changes

The following is an analysis of some of the changes from the Act as it relates to HIPAA.

1. Business Associates

Covered entities are required to protect any and all electronic protected health information (“PHI”) created, received, maintained, or transmitted. A “covered entity” includes hospitals, surgery centers, physicians, medical groups and other medical facilities. The rules require certain administrative, physical and technical safeguards, as well as the establishment of policies, procedures and documentation standards. Previously, the rules required covered entities to obtain satisfactory assurances of protection through written contracts or agreements from business associates in order to allow a business associate to create or receive PHI on its behalf. Business associates are people who, on behalf of covered entities, engage in a function or activity that involves the use or disclosure of personal identifiable health information. It also includes people who provide legal, actuarial, accounting, consulting, data aggregation, management,administrative, accreditation or financial services where the provision of those services involves the disclosure of individually identifiable health information to the person.

The Act now expands the rules applicable to covered entities requiring safeguards, policies, procedures and documentation standards to directly govern business associates. Business associates
can no longer implement their own defined reasonable and appropriate safeguards. As such, CPAs, lawyers and business consultants must implement the statutory safeguards, policies and procedures to protect the PHI they are receiving from covered entities. This expansion also results in business associates becoming subject to the civil and criminal penalties for security violations that were previously only applicable to covered entities.

In addition, it should be noted that the Act contains a statement that the “additional requirements of this title that relate to security and that are made applicable to covered entities shall also be
applicable to such a business associate.” It is unclear how broad the statement will be interpreted, especially given provisions within the bill which contain explicit references to business associates.
Therefore, it should be noted that provisions describing standards for covered entities regarding security may be applicable to business associates as well, including those discussed in this article.

2. Notification of Breaches

If an unauthorized acquisition, access, use or disclosure of “unsecured” PHI occurs, covered entities must notify all individuals whose PHI has been accessed, acquired or disclosed as a result
of the breach without unreasonable delay after discovery of the breach. Business associates must notify the covered entity of such breaches but are not required to notify all individuals. The notice
must contain certain information such as descriptions of what happened, the types of PHI involved, steps individuals should take to protect themselves, a description of what the covered entity is
doing to investigate, and contact procedures for additional information. Notice must also be submitted to the Secretary of Health and Human Services (“Secretary”). If the PHI involves more than 500 individuals, then notice must be provided immediately; otherwise, notice can be logged and submitted annually.

The above-described requirements will apply to breaches discovered on or after the date of publication of the interim final regulations to be promulgated by the Secretary within 180 days of the enactment of the Act.

3. Restrictions on Certain Disclosures of PHI

Currently, a covered entity must allow an individual to request a restriction on the use or disclosure of PHI to carry out treatment, payment, or health care operations. However, the covered entity
is not required to agree to a restriction. Now, the Act requires a covered entity to comply with the requested restriction if: (1) “the disclosure is to a health plan for purposes of carrying out payment
or health care operations (and is not for purposes of carrying out treatment)”; and (2) the PHI “pertains solely to a health care item or service for which the health care provider involved has
been paid out of pocket in full.” Compliance with these new restrictions may become an administrative nightmare for each individual request.

4. Disclosure Standards

The Act significantly alters the standard with which a covered entity must comply with the use, disclosure, or request of PHI by altering the existing “minimum necessary” standard. Previously, a covered entity would have to limit PHI to the “minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” The covered entity was left to make this determination. The Act now requires a covered entity to limit PHI to the Limited Data Set. The Limited Data Set includes 16 individual identifiers such as name, address, phone number, email address, social security number and medical record numbers. Only if this requirement proves to be insufficient can the covered entity then rely on the old “minimum necessary” standard.

Just to add some confusion to the entire process, the Limited Data Set standard described above is only a temporary standard. The new Limited Data Set standard must be followed until the Secretary
has issued guidance on what constitutes “minimum necessary.” The Secretary is to issue this guidance within 18 months of the date of enactment of the Act. (Don’t be surprised if the Secretary requests an extension on the 18 months.) Upon the issuance of the guidance, the new Limited Data Set standard no longer applies and the new and Secretaryapproved “Minimum Necessary” standard will apply.

5. Accounting of Certain PHI

Individuals have a right to an accounting of disclosures of PHI made by a covered entity in the past six years prior to the date of the request. But an exception exists providing that a covered
entity is not required to account for disclosures made to carry out treatment, payment and health care operations.

The Act has now eliminated this exception for covered entities that use or maintain electronic health records with respect to PHI. The Act now gives individuals the right to an accounting of
disclosures through an electronic health record made by a covered entity during the previous three years even if made to carry out treatment, payment and health care operations. A covered entity
that receives the request may (1) provide an accounting for disclosures made by both the covered entity and their business associates, or (2) provide an accounting for disclosures made by the covered entity and provide the contact information of their business associates. If the latter is given and an individual makes a request upon the business associate, the business associate is required to provide an accounting of disclosures that he or she has made.

It is important to note that covered entities that have acquired electronic health records as of January 1, 2009 are not required to account for disclosures made before January 1, 2014. For covered
entities that acquire electronic health records after January 1, 2009, accountings must be made for disclosures made on or after the later of (1) January 1, 2011, or (2) the date it acquires an electronic health record. Please keep in mind that these dates may change, as the Secretary has authority to alter them.


As you can see, the American Recovery and Reinvestment Act of 2009 has changed some important provisions related to HIPAA. Healthcare providers, consultants, accountants and lawyers should all review their security procedures when handling PHI to ensure they are in compliance with the new rules.

By Michael S. Byrd and Bradford E. Adatto

Leave a Reply