Personal Health Information Privacy And Security

The American Recovery and Reinvestment Act of which became law in 2009, includes changes for the Health Insurance Portability and Accountability Act (HIPAA) related entities including business associates who perform service on behalf of those entities.

This resulted from the fact that the part of the Recovery Act calls for computerized health records by the year 2014. Advocates have lobbied for tighter privacy and security measures to protect this information.

This will impact third party providers classified as business associates, and how they interact with the personal health information they have access to. This stems from the growing movement toward electronic health records which many business associates are getting involved in.

The Act wants the public to know that their information will be protected by all parties that have access to it be it primary care physicians or third party medical billing operations.

Some of these changes include:

- Many provisions of the HIPAA Security Rule now apply to business associates. These associates include compliance auditors, accounting services and third party billing services. They now have a HIPAA duty to protect the confidentiality of all electronic protected health information.

- Business associates cannot use or disclose Personal Health Information (PHI) in any manner other than what's permitted or required by the contract or required by law.

- If there's a PHI breach, the business associates must immediately notify the entity of the breach including each individual impacted by the breach. If the breach is greater than 500 people The Department of Health and Human Services (HHS) must be notified.

- HHS must issue guidance annually on the best technical safeguards to carry out the security standards of the HIPAA Security Rule.

- Business associates can be subject to criminal and civil penalties related to HIPAA if security or privacy provisions are violated.

- HHS has to formally investigate any complaints and impose civil penalties where appropriate.

- There will be new accounting requirements for electronic heath records (EHR).

- Business agreements will be required for all entities that provide transmission of PHI.

- There are new accounting standards for PHI disclosures from an EHR. This includes that an individual will have the right to receive an accounting for any PHI disclosures related to the EHR during the three years prior to the request.

- Business associates must comply with a patient's request not to disclose PHI under certain circumstances.

- HHS must provide for periodic audits to make business associates comply with these requirements.