Skip to content ↓ | Skip to navigation ↓

By:  Sean Sherman

Has anyone taken a look at the American Recovery and Reinvestment Act of 2009 (ARRA) in regards to HIPAA, privacy law and compliance impact? (Just do a search on “HIPAA” – you’ll be impressed) New rules revolve around two primary areas: 1) the mandated adoption of new electronic health record systems (and standards, controls and protections around that development), and 2) the expansion of breach notification rules concerning personal health records.

If there is concern, it is that this law clearly must co-exist with the 1996 HIPAA law. HIPAA security rules did not specifically address the protection of all entities that might handle or process protected health information – and specifically not electronic health records, aggregators, personal health record (PHR) vendors and processors that are addressed by the new law. While this new legislation tries to address where it sees boundaries between the two domains – there is some doubt that there are clear next steps, or that the law will be flexible enough to address the business structures that will result from the law. There is little doubt that there are many technical and procedural concerns that will have to be ironed out by HHS or the legal system.

If you follow the money, it is easy to see where changes are most likely. Hundreds of millions of dollars will be spent on encouraging physicians and hospitals to invest in new electronic systems and development of an “electronic health information exchange” which would tie new systems together. In turn, grants and projects will kick off to protect and strengthen existing and new systems from breaches and other security risks. Finally, NIST is granted millions to help develop new security standards for health records and information to support this developing space. The result is likely a more detailed guidance for regulators and compliance initiatives.