Stimulus bill includes important changes to HIPAA requirements

February 19, 2010 — The American Recovery and Reinvestment Act of 2009 (the “Stimulus Bill”), which President Obama signed Feb. 17, 2009, changes several requirements related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA is intended to protect the privacy of protected health information (PHI). To accomplish this, HIPAA regulates how covered entities and their business associates use and disclose PHI. A covered entity is either a health plan, a healthcare provider who conducts certain transactions in electronic form or a healthcare clearinghouse.

Doctors of chiropractic and their staff members should be aware of the following dates and requirements: 

Beginning Feb. 17, 2010, Business Associates of Covered Entities must comply with the “Security Standards for the Protection of Electronic Protected Health Information,” commonly known as the Security Rule. 

This rule was adopted to implement provisions of HIPAA. Section 13401 of Subtitle D (Privacy) of the HITECH Act (42 USC 17931) states that “[t]he additional requirements of this title that related to security and that are made applicable with respect to Covered Entities shall also be applicable to such a Business Associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” [Public Law 111-5, p.260]  In addition, penalties that apply to Covered Entities also will apply to Business Associates for noncompliance with the provisions of the Security Rule.  To learn more about the Security Rule, please click here.

Beginning Feb. 18, 2010, a healthcare provider is required to honor a patient request to restrict disclosure of PHI to a health plan for purposes other than carrying out treatment (specifically, payment or healthcare operations) if the patient pays the health care provider out of pocket in full. [Section 13405 of Subtitle D of the HITECH Act (42 USC 17935)]

Lastly, on, Feb. 22, 2010, enforcement of the Breach Notification Rule goes into effect for “failure to provide the required notifications for breaches” of unsecured PHI discovered on or after the Feb. 22 date.  [74 Federal Register 42757, August 24, 2009].  The Breach Notification Rule provides obligations concerning collection and reporting of information pertaining to a breach, and requires “incorporation [of those obligations] into the Business Associate Agreement between the Business Associate and the Covered Entity.” [42 USC 17934]

Source: American Chiropractic Association, www.acatoday.org