Recovery and Privacy

Why a law about the economy is the biggest thing since HIPAA

CHICAGO, May 5, 2009—The American Recovery and Reinvestment Act of 2009 gave a big monetary boost to the healthcare industry when it was signed into law February 17. But stipulations for the $19 billion funding include the adoption of new privacy and security regulations that introduce dramatic changes in how organizations manage their privacy practices, according to a feature article in  the May issue of the Journal of AHIMA.

The privacy regulations imposed in the act’s title XIII, or HITECH, include the most significant collection of privacy requirements since HIPAA came into effect in 2003. Since HITECH provides funding for the adoption of healthcare IT, it was necessary for Congress to address the ongoing privacy issues.

Recovery and Privacy explains how the ARRA language lays out Congressional intent to make changes and how the Department of Health and Human Services must propose and adopt final regulations that establish the ground rules for conforming to the intent of the law.

HHS also must respond to administrative changes introduced by the law. Now that ARRA has established the Office of the National Coordinator for Health Information Technology as a permanent office, the ONC has to appoint a privacy officer to serve in an advisory role on policy and standards issues.

The feature article also discusses the first federal requirements on health data breach reporting and notification that ARRA establishes, which extends requirements past the traditional covered entities under HIPAA to include business associates and noncovered entities that handle protected health information as defined in the law. The breach provisions will generate some of the first requirements to come out of ARRA, including guidance related to securing data held in personal health records.

ARRA increases the obligations of business associates as identified under HIPAA, which subjects them to specific privacy and security regulations. ARRA also extends its own requirements and the HIPAA security and privacy requirements for business associates to health information exchange organizations, e-prescribing, gateways, and other organizations that transmit personal health information.

This article also includes a chart that provides descriptions, responsible parties and due dates for ARRA provisions—including breach notification—that will take effect over the next three years.

Read the complete article in the May issue of the Journal of AHIMA or online at journal.ahima.org.

About AHIMA

The American Health Information Management Association is America’s leading professional society whose mission is to “improve healthcare by advancing best practices and standards for health information management and [serve as] the trusted source for education, research and professional credentialing.” AHIMA represents more than 53,000 specially educated HIM professionals who serve healthcare and the public by managing, analyzing and utilizing data vital for health system management. www.ahima.org