[Med-privacy] American Recovery and Reinvestment Act of 2009

[peter marshall]

Final Medical Privacy Rules Adopted in Congress
=======================================================================

On February 17, 2009, President Barack Obama signed into law the
American Recovery and Reinvestment Act of 2009. The Act contained
various measures that promotes strong medical privacy safeguards. The
new law amends the Public Health Service Act and the Social Security
Act by adding and clarifying key definitions; sets up new offices;
committees for promotion of health information technology; and assigns
their powers, duties and responsibilities.

Subtitle A of the Act establishes the Office of the National
Coordinator for Health Information Technology under the Department of
Health and Human Services. The ONCHIT is charged with the
responsibility of developing a nationwide health information
technology infrastructure that allows for the electronic use and
exchange of information while ensuring multiple medical privacy
protections. The ONCHIT must also review and determine standards,
specifications and certification criteria. Other authorities created by
the Act are the HIT Policy Committee and the HIT Standards Committee.
The ONCHIT is to serve as the liaison among the two Committees and the
Federal Government.

A Chief Privacy Officer of the ONCHIT is also to be appointed within
12 months to advise the ONCHIT on privacy, security and data
stewardship of electronic health information and coordinate with other
agencies and their personnel.

The HIT Policy Committee is assigned the duty of making policy
recommendations to the National Coordinator relating to the
implementation of a nationwide health information technology. The HIT
Standards Committee has the responsibility of recommending standards,
implementation specifications and certification criteria to the
National Coordinator. The Act however makes it clear that the statute
does not apply to private entities or give authority to a Federal
agency to require a private entity to comply unless it enters into a
contract with the Federal Government to apply or use the standards and
implementation specifications. The National Institute for Standards
and Technology has been entrusted with the pilot testing of standards
and implementation specifications to assure efficient implementation.

Sections of the bill also mandate that agencies promoting quality and
efficient health care in Federal government or sponsored health care
programs agree that all health care providers and similar entities
utilizes health information technology systems and meet the standards
and specifications adopted under the bill.

Subtitle D of the statute deals with Privacy. A section defines
breach and sets forth exceptions. "Business Associate" and "Covered
Entity" are also defined. In case of data breaches, the covered entity
is to notify every individual reasonably believed to be affected by the
breach; and if a business associate of a covered entity suffers a data
breach, it must inform the covered entity about every individual whose
information  may have been affected. The statute also assigns the
Office of Civil Rights within the Department of Health and Human
Services to offer guidance and education to covered entities, business
associates and individuals on their rights and responsibilities to
Federal privacy and security requirements.

The new law prohibits the sale of protected health information in the
absence of a valid authorization. However, the law also contains
exceptions for public health activities, research, treatment and sale
to a business associate at the request of a covered entity under a
business associate agreement. Business associates of covered entities
can only obtain protected health information when under written
obligation and violations are met with civil and criminal penalties.
Further, marketing based on communication by a covered entity to a
business associate is not deemed to be a healthcare operation.

The statute also contains a clause that makes the standards governing
the privacy and security of individually identifiable health
information created under the Health Insurance Portability and
Accountability Act to remain in effect only to the extent they are
consistent with the American Recovery and Reinvestment Act. The
Secretary of the Department of Health and Human Services is also to
amend the Federal regulations consistent with the subtitle on Privacy.
Another provision of the Act designates the Secretary, in consultation
with the Federal Trade Commission, to conduct a study and submit a
report on privacy and security requirements for entities that are not
covered entities or business associates.

The Act limits the appropriation of funds in making significant
investments unless such investment would permit full and accurate
electronic exchange and use of health information in a medical record
with both security and privacy. Patient Privacy Rights led the campaign
or strong medical privacy protection to be included in the Stimulus
Bill. Senator Leahy also asked for the incorporation of some of the
provisions.


The American Recovery and Reinvestment Act of 2009:
       http://epic.org/redirect/022309_Stimulus_Act.html

Subtitle D - Privacy:
       http://epic.org/privacy/pdf/StimulusPassedBill-SubD.pdf

Patient Privacy Rights:
       http://www.patientprivacyrights.org/

Senator Leahy's statement on medical privacy:
       http://leahy.senate.gov/press/200902/021309c.html

EPIC's page on Medical Privacy:
       http://epic.org/privacy/medical/default.html

[EPIC]