Health care provider organizations that comply with existing HIPAA privacy and security regulations shouldn’t be too concerned about the updates in the rules called for under the economic stimulus package, one attorney advises. That’s because the American Recovery and Reinvestment Act does not call for “wholesale changes” in the HIPAA rules, says Kirk Nahra, a partner at Wiley Rein LLP, Washington.
But ARRA sets tougher penalties, ranging from $25,000 to $1.5 million, for violating a patient’s privacy, he notes. It also will lead to dramatically stepped-up enforcement of privacy and security regulations, he predicts.
Also, state attorneys general now have explicit authority to enforce the HIPAA rules. And under ARRA, individual employees at a health care organization can face criminal charges for violations, Nahra notes.
Nahra made his comments August 17 at the 2009 Legal EHR Conference in Chicago. The American Health Information Management Association sponsored the event.
One significant change as a result of ARRA, the attorney says, is that “business associates” of health care organizations, including software vendors, must notify consumers of security breaches. This requirement, coupled with stepped-up enforcement, will have a “major impact” on vendors, Nahra predicts. And providers will have to revise their vendor contracts to reflect these breach notification provisions, he adds. Further, business associates are more explicitly required to comply with the privacy and security rules under ARRA.
This article can also be found at HealthDataManagement.com.
Howard Anderson is the executive editor of Health Data Management magazine.
Be the first to comment on this post using the section below.