Skip to main content
A Better Partnership


Mar 2009
March 17, 2009

New HIPAA Requirements Included in Economic Stimulus Bill

Although the media has focused a lot of attention on the economic stimulus provisions of the recently passed American Recovery and Reinvestment Act of 2009, this new law also contains several important changes to HIPAA privacy and security requirements. These new provisions dramatically increase the penalties for violating HIPAA and impose new obligations that will require changes to existing HIPAA policies and procedures and business associate agreements.

If your organization is a health care provider, an insurer, an employer that sponsors self-insured benefits, or a company that provides service to one of these organizations, these changes will apply to you.

The law includes new requirements for business associate agreements:

  • The Security Provisions of HIPAA, including the administrative, physical and technical safeguards that previously applied only to covered entities must now be included in business associate agreements. This includes an obligation that business associates maintain written policies and procedures implementing these requirements.
  • Business associates may only disclose protected health information received from a covered entity if the disclosure is permitted under the HIPAA privacy rules. Moreover, business associates may have to terminate an agreement with a covered entity (or if termination is not feasible, report the covered entity to the Department of Health & Human Services) if the covered entity engages in an activity or pattern of practice that violates the business associate agreement.
  • The law clarifies that organizations that provide data transmission services to covered entities—such as health information exchanges (HIEs), regional health information organizations (RHIOs) and E-prescribing gateways—must enter into business associate agreements. Vendors that contract with covered entities to provide personal health records to patients must also enter into business associate agreements.
  • Business associates will be subject to the same civil and criminal penalties as covered entities.
  • Business associate agreements must be amended or put in place by February 17, 2010.

The law imposes new notification requirements in the event that a covered entity or a business associate discovers protected health information has been improperly acquired, accessed or disclosed.

  • Covered entities must notify each individual if that individual’s unsecured protected health information has been acquired, accessed or disclosed or if the covered entity reasonably believes that the information has been acquired, accessed or disclosed.
  • Business associates that discover a breach must notify the covered entity and identify each individual whose unsecured protected health information has been acquired, accessed or disclosed.
  • Notification must be made to the individual within 60 days after the discovery of the breach (although state notification laws may require notification even earlier), and must include a brief description of what happened, the type of information disclosed, the steps individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, and contact information for individuals to ask questions and learn additional information.
  • In circumstances of large-scale breach of information, the regulations require notice to prominent media outlets and the Department of Health & Human Services.
    The new law requires the Department of Health & Human Services to release interim final regulations by August 17, 2009, and the duty to notify will apply to any breach discovered beginning 30 days after the publication of the interim final regulations.

The Act provides for more comprehensive accounting of uses and disclosures of electronic health records.

  • The law defines "electronic health record" as an electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff.
  • Under the new law, individuals will have the right to receive a more comprehensive accounting of disclosures of the electronic health records—including disclosures made for treatment, payment, or health care operations that are currently exempt from the accounting requirements. The period of accounting, however, need only go back three years, rather than six years.
  • The Department of Health & Human Services will establish standards for electronic health record systems for meeting these goals and the effective date for these standards to be implemented. For electronic health record systems in place before January 1, 2009, the law requires the standards to be in place by 2014, but for those acquiring electronic health records systems beginning on or after January 1, 2009, the standard is to be in place by 2011. The Department of Health & Human Services may delay the effective date for up to two years, if necessary.

The Act immediately increases the amounts for civil monetary penalties, gives state attorneys general the right to enforce HIPAA and allows individuals to recover a percentage of the civil monetary penalty if they have been harmed by a HIPAA violation.

  • The law creates "tiers" of penalties ranging from minimums of $100 per day per violation up to an annual penalty of $1.5 million. The Department of Health & Human Services will transfer the penalties that it collects to its Office for Civil Rights to fund HIPAA enforcement efforts.
  • The law requires the highest penalties when the covered entity’s or business associate’s violation is the result of “willful neglect” of HIPAA requirements.
  • The new law requires the Department of Health & Human Services to conduct periodic compliance audits of covered entities and business associates.
  • The Government Accountability Office will study how to provide a percentage of civil monetary penalties and settlement amounts to individuals harmed by HIPAA violations, and the Department of Health & Human Services will issue rules implementing this requirement by 2012.
  • A state's attorney general may now bring actions to compel compliance with HIPAA and to recover damages on behalf of any state resident who has been affected by a HIPAA violation. The attorney general may also recover costs and reasonable attorney fees.

If you have any questions about the new HIPAA provisions under the American Recovery and Reinvestment Act, or if you need help updating policies and procedures or business associate contracts, please contact Norbert F. Kugele (by phone 616.752.2186, or by e-mail at, Nathan W. Steed (by phone at 616.752.2723, or by email at, or any other member of Warner’s HIPAA Task Force, Warner's Health Law Practice Group or Warner's Employee Benefits Practice Group.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -