1

Changes to Privacy Regulations under

ARRAMay 4, 2009

Melissa Goldstein, J.D.

The George Washington University School of Public Health and Health

Services

2

HIPAA Privacy Rule in a Nutshell

• A covered entity cannot use or disclose protected health information unless it is permitted or required by the Rule

• And then, generally, only the minimum necessary information may be used or disclosed

• Rule sets a federal floor• More protective state statutes are

permitted

3

American Recovery & Reinvestment Act of 2009

(ARRA)• Title XIII – Health Information Technology (HITECH)• $19 billion over 10 years• Establishes HIT infrastructure at HHS (Advisory

committees on policy and standards)• Significant changes to healthcare privacy and

security environment• Does not change all of HIPAA but should be

addressed by entities handling health care information

• Most provisions require further regulatory clarification

4

Overview of Investment

• $2 billion in grants – $300M for subnational and regional

exchange efforts– $20M for NIST for health care

information enterprise integration• Incentives through Medicare &

Medicaid for healthcare professionals, hospitals and other providers

5

Changes to HIPAA

• Enhanced Individual Control – Right of electronic access– Can direct record to another entity or

individual (PHR)– Right to restrict disclosures to health plans for

payment and operations• Application to business associates (entities that

act on behalf of “covered entities”)– HIPAA security rules– HIPAA privacy rules– Provisions in ARRA

6

Changes to HIPAA

• Business Associate contracts– Required for health information

exchanges, RHIOs, and other entities that transmit protected health information (PHI) to a covered entity

– Required for vendors that contract with a covered entity to offer a personal health record (PHR)

• Breach notification requirement– Definition of breach– Safe harbor for “protected” data

7

Changes to HIPAA

• Accounting for disclosure requirements for entities using electronic health records– Requirement applies after standard

and regulations are developed– Phased in over time– Covers only 3 years

8

Changes to HIPAA

• Marketing– Limited right to use information for

marketing if the communication is paid for by an outside entity

– Exceptions for treatment and communications about current drugs and biologics

• Fundraising– Opt-out required

9

Changes to HIPAA• Prohibition on sale of health records

or protected health information• Exceptions

– Public health– Research– Treatment of an individual– Sale of a facility/business– Payments to business associates– Copies to individuals

10

Changes to HIPAA• Secretary guidance on minimum

necessary– Use of limited data set where possible in

interim– Discloser determines minimum necessary

• Minimum necessary still does not apply to treatment or de-identified information

• Study on implementation of the de-identification requirements

11

Enhanced Enforcement of HIPAA

• Tiered increase in civil penalties• Secretary required to do periodic

audits• State Attorney General civil

enforcement

12

Entities not covered by HIPAA

• Study of privacy protections– HHS & FTC report to Congress on

privacy and security recommendations for PHRs

• Temporary breach notification provisions– FTC enforced

13

Implementation

• Refining terms “certified EHR” and “meaningful use”

• Strategic plan for rollout• Implementation of privacy and

security provisions