Major HIPAA revisions are yet another part of the massive federal economic stimulus law (the American Recovery and Reinvestment Act of 2009, or ARRA). For example, the ARRA impacts HIPAA as follows:
- Extends certain privacy and security rules to "business associates" directly
- Establishes new notification requirements in the event of a security breach of PHI (protected health information)
- Prescribes additional disclosure requirements relating to electronic health records
- Increases enforcement and penalties associated with violations of the privacy and security rules.
The new enforcement and penalty provisions are effective immediately. In general, the new privacy rules take effect on February 17, 2010, and the new security rules take effect 30 days after the Department of Health and Human Services (HHS) publishes regulations. The ARRA also affects HIPAA rules that require employers with group health plans to provide certificates of creditable coverage to employees and dependents when their coverage ends. HIPAA still requires employers to disregard breaks in coverage of fewer than 63 days in calculating creditable coverage. Now, however, if a qualified beneficiary obtains COBRA coverage due to the special extended election period, any breaks in coverage - even if longer than 63 days - between the qualifying event and the effective date of such coverage, must also be disregarded.