Mar 3, 2009
The American Recovery and Reinvestment Act of 2009 (ARRA) was signed on Tuesday, February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII include important changes in Privacy (Subtitle D) that Information Security and Risk Management professionals must take note of. The following is a high level overview of TITLE XII, SUBTITLE D.
These changes become effective one year after enactment of ARRA on February 17, 2010.
ARRA TITLE XII, SUBTITLE D
Subtitle D—Privacy
Sec. 13400. Definitions.
PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS
Sec. 13401. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions.
Sec. 13402. Notification in the case of breach.
Sec. 13403. Education on health information privacy.
Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.
Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to
certain information in electronic format.
Sec. 13406. Conditions on certain contacts as part of health care operations.
Sec. 13407. Temporary breach notification requirement for vendors of personal
health records and other non-HIPAA covered entities.
Sec. 13408. Business associate contracts required for certain entities.
Sec. 13409. Clarification of application of wrongful disclosures criminal penalties.
Sec. 13410. Improved enforcement.
Sec. 13411. Audits.
