Sign In
  • Wisconsin Lawyer
    July 13, 2009

    HIPAA and the Stimulus Law: Protecting Health Information

    The American Recovery and Reinvestment Act of 2009 strengthens federal privacy laws enacted in the Health Insurance Portability and Accountability Act of 1996. Health care providers and their vendors and business associates all are now liable for unauthorized disclosures of individuals’ health care information. New provisions govern electronic information and how notification of a breach is to be made. The rules are complex, with many exceptions. And more changes are expected.

    Wisconsin LawyerWisconsin Lawyer
    Vol. 82, No. 7, July 2009

    Congress enacted an update to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a part of the federal stimulus package. One reason for enactment of the 1996 law and the 2009 updates to HIPAA is the government’s concern for the privacy of individuals. Updates to HIPAA’s initial privacy rules were expected when that law was first enacted, and these new provisions were anticipated. This law mandates that more regulations will be issued within the next 18 months. Confidential maintenance of health records is paramount as the frequency of identity theft increases. Therefore, one of HIPAA’s key purposes is to ensure that the privacy of individuals’ health care information is maintained as the effort continues to computerize all health records within the next five years.

    Although the focus of the 2009 legislation is economic stimulus, one part of the immense law governs identity theft and individual privacy. This law directly affects all medical providers, including doctors, dentists, hospitals, and emergency medical services and fire departments,1 and their business associates and vendors, throughout the United States. The same underlying rules and legal philosophy of HIPAA apply, but the scope of the 2009 law is greater.

    The Law

    Congress’s newly enacted legislation is the American Recovery and Reinvestment Act of 2009 (ARRA), popularly known as the stimulus law.2 ARRA adds provisions that make vendors of health-care providers liable for unauthorized disclosure of health care information while the information is in their use. Because HIPAA did not govern vendors, the new law provides the Federal Trade Commission (FTC) with new powers, which will bring its unfair-and-deceptive-trade-practice law enforcement provisions to bear on violators. The liability of business associates is also expanded. New provisions govern electronic information and how notification is to be made in the event of breach.

    Key Definitions

    The following legal definitions continue to apply as in the original HIPAA3:

    • A covered entity includes a “health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”4
    • Protected health information (PHI), with limited exceptions not applicable to the present analysis, includes individually identifiable health information that is transmitted by electronic media or maintained in electronic media or transmitted or maintained in any other form or medium.5
    • A business associate is a person who participates in or performs a function involving the use or disclosure of individually identifiable health information, or provides legal, accounting, consulting, administrative, data aggregation, or financial services to a covered entity.6

    New Definitions

    The new law especially targets records drawn from multiple sources and electronic records that are shared by multiple medical providers. The more often medical information is shared, the easier it is for the information to be accessed by unauthorized persons.

    • Vendor of personal health records means an entity that offers or maintains a personal health record.7
    • Breach8 has an expansive definition under the new law. A breach is the unauthorized acquisition, use, or disclosure of PHI that compromises a person’s privacy. However, if a disclosure was made in good faith and was unintentional, it is not a breach.
    • Other new terms defined in ARRA are electronic health record9 and personal health record.10
    Barry W.   Szymanski

    Barry W. Szymanski, Marquette 1973, of counsel to Schober Schober & Mitchell S.C., Wauwatosa, is a private practitioner and an emergency services consultant. He represents many medical providers, emergency medical technicians, and fire departments and serves as the lawyer for the Wisconsin EMS Association. This article is presented to raise issues and questions and is not intended as a detailed review of a very complex set of constantly modified state and federal statutory, regulatory, and case law.

    Whether or not health information is secured, a HIPAA-covered entity and its business associates and vendors will be liable if personal health records are breached. This law states that unsecured protected health information is medical information that is not secured through the use of technology.11 Any breach of either secured or unsecured PHI requires notification to those individuals whose privacy was violated.

    Business associates are held to the same standards of privacy as covered entities.12 As required by HIPAA, every entity that provides PHI to a business associate is required to enter into a written contract with the associate.13 Agreements between covered entities and business associates must incorporate the same HIPAA provisions that apply to covered entities to protect privacy. The new law applies all of HIPAA’s civil and criminal penalties to business associates.14

    If a Breach Occurs

    Breaches can occur if, for example, a relative is provided PHI about a patient in a hospital or an emergency medical technician provides PHI to an inquisitive police officer. (See the accompanying sidebar of common HIPAA exceptions to disclosures.) If there is a breach of unsecured PHI, the covered entity must properly notify each individual whose information has been accessed.15 This requirement now extends to business associates.16 All required notifications must be made without unreasonable delay, and not later than 60 days after the breach was discovered. Both the covered entity and its business associate have the burden of proof to demonstrate that all notifications were made in accord with this law and also must demonstrate why any delay of notification was necessary; otherwise the HIPAA penalties will be enforced.17


    The entity must notify by first-class mail every individual whose information has been acquired or accessed. If an individual is deceased, then notice is to be given to the next of kin. If there is insufficient contact information, the covered entity must post a conspicuous notice of the breach on its Web site home page or give notice by major print or broadcast media. If the privacy of more than 500 individuals is breached, then the media and the Secretary of the Department of Health and Human Services (HHS) are to be notified. There are specific provisions as to what must be included in the notice, including what information was breached, the steps individuals should take to protect themselves from harm, and what the entity is doing to mitigate losses. However, if the breach was criminal in nature, and a police investigation is involved, a delay in providing notice is permitted.18

    Restriction of Information

    As under HIPAA, individuals may request that their PHI be restricted.19 This right extends to the use or disclosure of the individual’s PHI to carry out treatment, payment, or health care operations.20 The new law continues to require that covered entities comply with those requests, subject to numerous exceptions, such as emergency care,21 and that covered entities limit the PHI to the extent practicable. The new law allows exceptions for disclosures that are made to carry out payment (and that are not for treatment), and if the information pertains solely to a service for which the health care provider involved has been paid “out of pocket in full.”22 A change was made to prior HIPAA law; under the new law, individuals have a right to receive an accounting of disclosures made of their information only during the three years before the date the accounting is requested.23 The exceptions and disclosure requirements are complex.24

    Marketing and Sale

    Marketing is not considered a health-care operation under the new law. Entities wishing to use any PHI for marketing must meet strict conditions.25 Covered entities and business associates are prohibited from selling electronic health records,26 but individuals may sign an authorization to release information.27 One exception to the sale prohibition is when an individual is provided a copy of his or her PHI, and other exceptions to the sale prohibition include for research, public health, and medical treatment.28

    Regulations of Vendors

    Vendors (of HIPAA-covered entities) that discover that a breach of any unsecured protected and identifiable health information occurred must notify the individual and the FTC.29 A breach made through a vendor now is an unfair and deceptive act or practice in violation of the Federal Trade Commission Act.30 Additionally, in the new law the term individually identifiable health information is referenced, and it is expanded and referenced in the Social Security Act.31 The FTC is to issue future regulations in this area32 and will address unsecured identifiable health information that is not protected by technology.33


    In addition to adding requirements to existing HIPAA and FTC law, the new law clarifies penalties. It improves enforcement of Social Security law when unlawful disclosures of individually identifiable health information are made.34 Penalties apply to entities and to individuals, such as employees of covered entities. Liability under the Social Security Act has been broadened.35 Willful neglect may constitute a violation. The amount of civil monetary penalties increased; such penalties now range from $100 to $50,000 with a cap of $1,500,000. Enforcement may be by state attorneys general and if a state requests fees, a judge now can award reasonable attorney fees to state attorneys general for enforcement actions.

    Future Regulations

    The Secretary of HHS is required to publish additional regulations in the future.36 Generally, many of the new law’s provisions take effect over one year, including provisions that require the FTC and the HHS to issue regulations after study. The review time ranges from six to 18 months.37

    Working with the New Law

    HIPAA-covered entities should review their contracts with their business associates and vendors. They should require that their business associates provide copies of the associates’ policies and procedures for processing, maintaining, and securing electronic information. Audits of procedures should include how and by whom physical and electronic access is made and what safeguards are in place to limit retrieval of PHI.

    HIPAA-covered entities may wish to add indemnification provisions to agreements with their business associates and vendors to protect themselves if an associate or vendor violates privacy laws. The required breach notification will be labor intensive and therefore expensive. Contracts should mandate reporting because the new law requires such, even between third-party service providers and vendors and entities.38 Further, since the resultant negative public relations of a breach of private protected information would be detrimental to the entity, a contract should have provisions for such indemnification.

    Wisconsin might adopt some of the electronic-breach provisions of federal law. The sheer quantity of electronic information and the ease of its transmission require the legal system to continue to address the electronic theft of private medical information and identity theft.


    1Emergency medical services and those fire departments that are first responders are covered entities. Because most departments and their billing services transmit health information in electronic form, they are liable under the law as covered entities.

    2Pub. L. No. 111-5, 123 Stat. 115. All references marked ARRA are to Title XIII – Health Information Technology and its subsections.

    3Each of these definitions is given summary treatment in this article; please see the actual law for the complete definition with all the inclusions and exceptions.

    445 C.F.R. § 160.103.



    7ARRA 2009, § 13400(18).

    8Id. § 13400(1).

    9Id. § 13400(5).

    10Id. § 13400(12).

    11Id. § 13402(h)(1)(A).

    12Id. § 13404.

    13Id. § 13408; 45 C.F.R. §§ 164.502(e)(2), .308(b), pt. 164, subparts C, E.

    14ARRA 2009, §§ 13401, 13404(c).

    15Id. § 13402(a).

    16Id. §§ 13402 (b), 13404.

    17Id. § 13402(d)(1), (2).

    18Id. § 13402(d)-(g).

    19Id. § 13405.

    2045 C.F.R. § 160.522(a)(1)(i)(A).

    2145 C.F.R. § 160.522(a)(1)(i)(B)(iii).

    22ARRA 2009, § 13404(a).

    23Id. § 13405(c)(1)(A), (B).

    24See 45 C.F.R. §§ 164.502(b)(1), .514(e)(2).

    25ARRA 2009, § 13406.

    26Id. § 13405(e).

    27Id. § 13405(e)(1).

    28As to this last exception, see 45 C.F.R. § 164.524.

    29ARRA 2009, § 13407(a)(1), (2).

    30Id. § 13407(e) (citing 15 U.S.C. § 57A(a)(1)(B) and Reg. 18(a)(1)(B)).

    31Id. § 13407(f)(2) (citing 42 U.S.C. §§ 1320d(6), 1171(6)).

    32Id. § 13407(g).

    33Id. § 13407(f)(3).

    34Id. §§ 13409, 13410.

    35Id. § 13409 (amending by adding its provisions to 42 U.S.C § 1320d(6)(a), § 1177(a)).

    36Id. § 13405(c).

    37Id. §§ 13402(j), 13403(a), (b), 13405(c)(2), (e)(3), (4), 13406(c), 13407(g), 13410(b)(1), (2), (c)(2)(d)(4), 13423, 13424.

    38Id. § 13407(b).

Join the conversation! Log in to leave a comment.

News & Pubs Search

Format: MM/DD/YYYY