By a vote of 61 to 37, the U.S. Senate this afternoon passed the American Recovery and Reinvestment Bill of 2009 (H.R. 1), which includes substantial changes for HIPAA covered entities. Many of the privacy provisions in the Senate bill mirror those of the House version passed on Jan. 28 (H.R.1). The complete economic recovery stimulus legislation now goes to conference, with passage expected in the next week or 10 days.
The full text of both the House and Senate versions of the bills appear on AISHealth.com at http://www.aishealth.com/Compliance/HCFAIGLibrary.html
Among the major privacy changes:
– Ensuring that business associates doing work with or on behalf of covered entities are subject to the privacy and security rules, and that the regulations also cover organizations that were not in existence when federal laws were written (such as online personal health records);
– Establishing a federal breach notification requirement that a patient be notified if there is an unauthorized disclosure of their information when the data was not encrypted;
– Providing transparency by allowing patients to request an audit trail showing all disclosures of their information made through an electronic record;
– Increasing penalties for violations of federal privacy and security laws, and providing greater resources for enforcement and oversight activities.
Three Senate Republicans voted in favor of the measure, which received no Republican support in the House.
Major HIPAA privacy legislation is now virtually assured of passage, since new electronic health records (EHR) funding and other provisions are cemented into the nation’s economic recovery plan, with stronger patient privacy measures wedded to the new EHR provisions.