Stimulus Bill Includes New HIPAA Rules

March 13, 2009 ( - The recently enacted stimulus bill contains a number of significant changes to the Health Insurance Portability and Accountability Act (HIPAA) that will affect health plan sponsors.

According to a Segal Company Bulletin, for the first time, group health plans will be required to provide notice to affected individuals when there is a breach involving “unsecured” protected health information (PHI). PHI is considered unsecured if it is not secured through the use of a technology or methodology specified by the Secretary of Health and Human Services (HHS).

Segal said notice must be provided without unreasonable delay, and in no case later than 60 calendar days after the breach is discovered. Notice must be provide to each affected individual and to the Secretary of the HHS and must include:

  • A description of what happened,
  • The types of PHI involved,
  • The steps individuals should take to protect themselves,
  • The steps the covered entity is taking to investigate and mitigate harm, and
  • Contact information for follow-up questions.

If the interim final regulations are published on time, Segal said the breach notification requirement will apply to breaches discovered after mid September 2009.

Effective one year from enactment of the stimulus bill, HIPAA business associates – third party administrators, pharmacy benefit managers, health benefits administration system vendors, attorneys, actuaries and consultants – will have a direct statutory obligation to comply with most of the HIPAA security rule and with the privacy-related obligations contained in their business associate agreements. The legislation the expansion of HIPAA enforcement to include actions against employees of covered entities and business associates and required periodic audits of covered entities and business associates.

The new rules also include significant increases in monetary penalties (topping out at $1.5 million per year a standard is violated for the most egregious violations) and enforcement by state attorneys general, according to the Segal Bulletin.

Segal says plan sponsors need to be prepared for the new HIPAA breach notification rule as early as this fall.

In the Segal Bulletin, the firm advises sponsors to:

  • Update HIPAA policies and procedures to reflect the rule changes and provide training on the changes to employees;
  • Review existing business associate agreements to determine if amendments are necessary to incorporate new HIPAA rules;
  • Consider whether HIPAA privacy notices need to be changed as participants can now request a restriction on the use and disclosure of protected health information; and
  • Review liability insurance contracts to determine if changes are necessary to ensure coverage in case of a HIPAA violation.

More information can be obtained by visiting .