H.R. 1, the new stimulus package passed by Congress last week, and signed by President Obama on February 17, 2009, imposes significant new HIPAA privacy and security requirements on health plans, business associates, and other vendors of personal health records. The bill also includes appropriations for health information technology (HIT) and new HIT requirements for the government sector (or businesses who have government contracts).
Among the new requirements, described in more detail in the attached article and charts, are a duty to notify each individual in the event of a security breach, the extension of direct penalties to business associates, additional access and accounting requirements, and stricter criminal and civil enforcement. Most of the HIPAA privacy and security requirements go into effect one year from enactment, although some provisions (as noted) have shorter or longer deadlines.
We have attached an article summarizing these provisions, as well as section-by-section charts that provide more detail.