HIPAA, Too: Many ARRA Privacy Provisions Amend HIPAA, Not Create New Regulation

By Harry Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA, and Dan Rode, MBA, CHPS, FHFMA

This month the Journal introduces a new “Working Smart” column titled “ARRA on the Job,” offering HIM professionals practical guidance on interpreting, planning for, and implementing provisions of the American Recovery and Reinvestment Act.

The American Recovery and Reinvestment Act of 2009 includes numerous provisions affecting health information management, including technology adoption incentives, education and workforce training funding, and significant new privacy provisions.

The privacy provisions stem from longstanding concerns over the confidentiality and transparency of information held in electronic systems. Many of the provisions relate to previous regulation passed as part of the HIPAA privacy rule, either to increase the protection of individually identifiable patient information or increase the transparency of how it is used.

For this reason, authors of the ARRA legislation decided to incorporate the new ARRA mandates into the existing HIPAA regulations where possible.

For example, expanded ARRA requirements for accountings of disclosure are added to section 164.528 of the HIPAA privacy rule on disclosure. ARRA amends the HIPAA rule; it does not create a new rule. New requirements on breach notification become a subpart within HIPAA part 164.

In addition, ARRA was intended to harmonize with HIPAA. Many of the privacy terms used in ARRA are taken directly from definitions established within HIPAA. ARRA is consistent with HIPAA’s provisions on state preemption.

Provisions Amend Additional Regulations

The table [below] lists ARRA provisions that amend or reference the HIPAA privacy rule. ARRA includes additional provisions related to privacy and security that are not included here.

One such exception is breach notification provisions for personal health record vendors that are not covered entities. They are subject to regulation from the Federal Trade Commission.

Similarly, ARRA clarifies that employees of covered entities and business associates may be individually prosecuted if they are involved in a privacy or security violation (which should end any uncertainty that continues to exist). However, the actual amendment is to the Social Security Act, not HIPAA. Other ARRA provisions related to enforcement and penalties also modify the Social Security Act.

ARRA amends the security rule by expanding security requirements to business associates and requiring that business associate agreements incorporate the new provisions. The changes affect security rule sections on administrative, physical, and technical safeguards as well as policies, procedures, and documentation requirements.

As ARRA’s privacy provisions continue to make their way into regulation they will be published individually in the Federal Register. At this time, it is unclear exactly how and where the Department of Health and Human Services will compile the HIPAA amendments and how they will be noted within the privacy rule. However, AHIMA will be publishing news, analysis, and resources on all ARRA provisions at a single location, www.ahima.org/arra. [web page no longer available]

ARRA Privacy Provisions That Amend or Reference HIPAA
Many of the ARRA privacy mandates are incorporated into existing HIPAA regulations. Those that directly reference or amend the privacy rule are shown below. ARRA also includes provisions that are not tied to HIPAA.

ARRA Section Topic HIPAA Section

Business Associates
§13404(a), “Application of Contract Requirements” Extends ARRA requirements to any business associate (BA) of a covered entity (CE) that receives protected health information under HIPAA §164.502(e)(2)


§13404(b), “Application of Knowledge Elements
Associated with Contracts”

Requires a BA that notes any privacy noncompliance by the CE to request the CE to correct the situation or cease doing business with it



§13408, “Business Associate Contracts Required for Certain Entities” Extends BA status to recently emerged entities such as health information exchanges, regional health information organizations, PHR operators, and e-prescribing gateways §164.502


Restrictions on Disclosure
§13405(a), “Requested Restrictions on Certain Disclosures of Health Information” Extends a consumer’s right to request restrictions on disclosure under certain conditions (e.g., the item or service has been paid out of pocket in full) §164.522(i)(A)
§13405(b), “Disclosures Required to Be Limited to the Limited Data Set or the Minimum Necessary” Clarifies a data holder’s responsibilities in releasing requested data by providing guidance on what constitutes “minimum necessary” §164.502(b)(1)


§13405(c), “Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Record” Revises HIPAA requirements to include treatment, payment, and operations within required disclosures; changes the accounting period to three years §164.528
§13405(d), “Prohibition on Sale of Electronic Health Records or Protected Health Information” Prohibits, with some exceptions, a CE or BA from directly or indirectly receiving remuneration in exchange for an individual’s PHI unless covered by a valid authorization §164.508
§13405(e), “Access to Certain Information in Electronic Format” Requires CEs that maintain EHRs to provide individuals with copies of their PHI in electronic format upon request or transmit it as directed §164.524

Breach Notification
§13402, “Notification in the Case of Breach” Requires CEs and BAs to provide notification to patients, Health and Human Services, and potentially the media in the case of breaches of unsecured PHI Adds new subpart D under part 164

Marketing and Fundraising
§13406, “Conditions on Certain Contacts as Part of Health Care Operations” Prohibits certain written marketing communications and allows individuals to opt out of fundraising appeals §164.501




AHIMA. “Analysis of Health Care Confidentiality, Privacy, and Security Provisions of the American Recovery and Reinvestment Act of 2009, Public Law 111-5.” March 2009. Available online at www.ahima.org/arra. [web page no longer available]

Harry Rhodes (harry.rhodes@ahima.org) is director of practice leadership at AHIMA. Dan Rode (dan.rode@ahima.org) is AHIMA’s vice president of policy and government relations.

Article citation:
Rhodes, Harry B.; Rode, Dan. "HIPAA, Too: Many ARRA Privacy Provisions Amend HIPAA, Not Create New Regulation" Journal of AHIMA 81, no.1 (January 2010): 38-39.