President Obama signed into law the American Recovery and Reinvestment Act of 2009 (H.R. 1), which includes significant changes for HIPAA covered entities and other organizations who perform services on behalf of covered entities and business associates. A portion of the Recovery Act calls for computerizing all health records by the year 2014 and privacy advocates have lobbied for more stringent privacy and security measures to protect this data. This means that new regulatory requirements are on the horizon.

 

The new law expands the reach of several provisions of the Privacy and Security Rules to cover business associates, making them directly responsible to comply with certain HIPAA provisions. Additionally, covered entities and other organizations will soon have to follow strict notification requirements when there is an unauthorized disclosure of unsecured protected health information. The new law contains more restrictions on the disclosure of PHI and bans the sale of PHI except under limited circumstances. It also contains new accounting requirements for electronic health records. Finally, the new law increases penalties for violations the Privacy and Security Rules for both covered entities and business associates.