Compliance Alert



		Stimulus Act Imposes Key Changes to HIPAA While much of the focus surrounding the American Recovery and Reinvestment Act of 2009 (ARRA) has been on the COBRA premium assistance provisions, the stimulus package also includes key changes to HIPAA contained within a section known as the Health Information Technology for Economic and Clinical Health Act (HITECH). The following is a brief summary of these changes: Direct Regulation of Business Associates Effective February 17, 2010, the HIPAA rules will apply directly to business associates. As a result, business associates will be subject to civil and criminal penalties and enforcement proceedings for violations of HIPAA. Notification Requirements in the Event of a Breach of Unsecured PHI Previously, covered entities were obligated to mitigate harm caused by unauthorized disclosures of PHI, but were not required to notify individuals whose PHI was inappropriately disclosed. Now under ARRA, covered entities and business associates will be required to notify individuals upon security breaches of “unsecured" information, which is defined as information not protected through methods approved by the federal government. Additionally, if the breach involves 500 or more individuals, the Act requires that the Department of Health and Human Services be notified, as well as the local media. Additional Privacy Rights for Individuals ARRA also expands privacy rights for individuals, including the right to receive information in electronic format if the information is maintained as an electronic health record (EHR). Strengthened Penalty and Enforcement Provisions Finally, ARRA strengthens the HIPAA penalty and enforcement provisions by (1) giving power to state attorneys general to bring actions to obtain injunctive relief or damages, (2) adding provisions for individuals harmed by HIPAA violations to receive a percentage of the civil monetary penalties collected, and (3) increasing the financial penalties for HIPAA violations. The breach notification requirements will be effective 30 days after appropriate regulations are published. The changes to the enforcement provisions are effective for violations occurring after February 17, 2009. For a more detailed discussion of the changes to HIPAA imposed by the stimulus bill, please click here. For further information on HIPAA, please contact our office at 919-403-1986. Important Notice: Hill, Chesson & Woody does not engage in the practice of law, accounting, or medicine. Therefore, the contents of this communication should not be regarded as a substitute for legal, tax, or medical advice.
June 1, 2009 Hill, Chesson & Woody Employee Benefit Services 194 Finley Golf Course Rd, Suite 200, Chapel Hill, NC 27517 Phone: 919.403.1986 Fax: 919.869.2063 www.hcwbenefits.com