ALSTON&BIRD LLP
TO:
ACLA Members
FROM: Alston & Bird, LLP
DATE: February 13, 2009
RE:
Overview of the Health Information Technology Provisions in the Economic
Stimulus Agreement
On February 13, 2009, the House and the Senate released the conference agreement on H.R. 1, American Economic Recovery and
Reinvestment Act (ARRA). The conference agreement, which provides a total of $789.5 billion in spending and tax cuts, involved
negotiations between Democratic congressional members and the three Republican Senators, Susan Collins (R-ME), Olympia J. Snowe
(R-ME), and Arlen Spector (R-PA). The compromise resulted in an economic stimulus agreement that is $29.5 billion less than set forth
in the House bill and $48.5 billion less than in the most recent Senate version of the stimulus package. The legislation includes $301.1
billion in tax cuts and $311 billion in discretionary appropriations.
This memorandum provides a summary of the health information technology (HIT) provisions of the conference agreement.
Specifically, we have outlined the provisions which will provide physicians and hospitals with funds for the implementation and
development of HIT. In addition, we have provided a side-by-side chart that highlights the changes that the stimulus package will have
on the privacy laws under the Health Insurance Portability and Accountability Act (HIPAA). If you have any questions concerning this
memorandum or would like additional detail regarding these provisions, please do not hesitate to contact us.
EXECUTIVE SUMMARY
ARRA contains significant financial incentives for HIT adoption among health care providers and practitioners via four main
financing mechanisms, including:
Atlanta • Charlotte • Dallas • Los Angeles • New York • Research Triangle • Silicon Valley • Ventura County • Washington, D.C.
www.alston.com
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 2





Several grant programs to provide funding for investing in HIT infrastructure, purchasing certified electronic health records
(“EHRs”), training, and the dissemination of best practices.
Direct grants to states for low-interest loans to help providers finance HIT.
Beginning in 2011, a new set of Medicare incentive payments to encourage doctors and certain eligible hospitals to adopt and
use certified EHRs. Those incentive payments would be phased out over time and replaced by financial penalties for
physicians and hospitals not using certified EHRs.
The authorization of a 100 percent federal match for payments attributable to the purchase and use of certified EHRs by
Medicaid providers.
ARRA also makes significant changes to privacy and security law governing HIT detailed below.
INCENTIVE PROVISIONS
DISCRETIONARY FUNDS FOR OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY (ONCHIT)1
Amount: $2 billion
Timing of Fund Distribution: Funds will become available within 90 days of enactment of the Act, upon the Secretary’s submission of an
annual operating plan to the Senate and House Committees on Appropriations.
Standards for Distribution: $20 million must be given to the Director of the National Institute of Standards and Technology in the
Department of Commerce. $300 million must be distributed for the support of sub-national and regional efforts towards HIT exchange.
The remaining funds will be distributed for HIT infrastructure investment at the discretion of ONCHIT. (The bill authorizes 0.25 percent
of the funds to be used for administrative purposes.)
HIT INFRASTRUCTURE GRANTS2
1
American Recovery and Reinvestment Act of 2009, Division A, Title IX, Subtitle B.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 3
Amount: The bill authorizes the appropriation of necessary sums to carry out this program.
Timing of Fund Distribution: The Secretary is required to invest these funds for the development of HIT infrastructure through agencies
with HIT experience, such as ONCHIT, the Health Resources and Services Administration, the Agency for Healthcare Research and
Quality, the Centers for Medicare & Medicaid Services, the Centers for Disease Control and Prevention, and the Indian Health Service.
Standards for Distribution: Funds, under this section, are to be used for the acquisition of HIT meeting current standards and certification
criteria. Funds will be distributed to support the following goals: (1) HIT infrastructure investment to support the exchange of
information, (2) adoption of Electronic Health Records (EHRs) by providers not eligible for other incentive payments, (3) determination
of best practices for the integration and privacy of health information, (4) promotion of telemedicine, (5) HIT use by public health
departments, and (6) interoperable clinical data repositories.
HIT IMPLEMENTATION ASSISTANCE3
Amount: The bill directs the Secretary, working through ONCHIT, to establish a HIT extension program that will provide HIT assistance
services through the Department of Health and Human Services. The bill also directs the Secretary to create a Health Information
Technology Research Center to develop and promote best practices and provide HIT technical assistance. The Secretary will also provide
financial support to regional centers, created under this subsection, for up to four years. The amount provided may not exceed 50 percent
of the capital and annual operating and maintenance funds required to support such a center, unless Congress is notified that economic
conditions make this cost-sharing requirement detrimental to the program. Regional centers will be evaluated biennially, with funds
revoked if an evaluation is not positive. After two years of assistance, those centers receiving positive evaluations, will be eligible to
receive additional support.
2
3
American Recovery and Reinvestment Act of 2009, Division A, Title IV, Subtitle C, § 13301.
American Recovery and Reinvestment Act of 2009, Division A, Title IV, Subtitle C, § 13301.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 4
Timing for Distribution: Within 90 days of the Act’s passage, the Secretary is required to publish a draft description of the program,
including a detailed explanation of the program’s goals, applicant procedures, criteria for determining qualified applicants, and expected
maximum support levels available for regional centers.
Standards for Distribution: Regional centers, receiving funds under this program, can be affiliated with any U.S.-based nonprofit
institution. The regional centers must prioritize support to public, non-profit, and critical access hospitals, federally qualified health
centers, entities that serve the uninsured, underinsured, and medically underserved individuals, and individual and small group practices
focusing on primary care. Applications will be subject to merit review with consideration including, at a minimum: (1) the types of
services provided by the applicant and the applicant’s ability to appropriately meet the needs of particular categories of health care
providers, (2) the geographic diversity and scope of the service area, and (3) the percentage of funding and in-kind commitment from
other sources.
STATE PLANNING AND IMPLEMENTATION GRANTS4
Amount: The bill appropriates such sums as may be necessary to carry out this grant program. The bill imposes the following statematching requirements on the grant recipients:
Year
Before FY 2011
FY 2011
FY 2012
FY 2013 and Subsequent Years
4
State Matching Requirement
Secretary may determine the matching
requirement
Not less than $1 for each $10 of Federal
funds provided under the grant
Not less than $1 for each $7 of Federal
funds provided under the grant
Not less than $1 for each $3 of Federal
funds provided under the grant
American Recovery and Reinvestment Act of 2009, Division A, Title IV, Subtitle C, § 13301.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 5
Timing for Distribution: The bill requires States and State-designated entities to submit applications for planning and implementation
grants. The bill does not require the Secretary to establish the program within a certain timeframe. It requires applicants to submit
applications “at such time, in such manner, and containing such information as the Secretary may specify.”
Standards for Distribution: States and State-designated entities are eligible to receive planning and implementation grants from the
National Coordinator. To qualify as a State-designated entity, the entity must be a non-profit with broad stakeholder representation on its
board, adopt nondiscrimination and conflict of interest policies, demonstrate a principal goal of using HIT, and be designated as eligible
by the State. Entities, applying for grants, would have to submit an application describing their plans for the expansion and use of HIT.
Eligible entities must consult with a broad range of stakeholders.
STATE LOAN PROGRAMS5
Amount: The bill appropriates such sums as may be necessary to carry out the loan program. Eligible entities, who receive grants under
this subsection, must meet a matching requirement by providing at least $1 for every $5 of Federal funds provided. Grant funds, used for
the administration of the programs, may not exceed 4 percent annually.
Timing for Distribution: Grants may not be awarded before January 1, 2010.
Standards for Distribution: States and Indian tribes are eligible to receive grants to create loan programs for health providers
implementing HIT. Grant applicants must: (1) establish a qualified HIT loan fund, (2) submit a strategic plan and agree to provide
annual updates, (3) agree to provide matching funds, and (4) offer assurance that the entity will only provide loans to providers who
agree to submit quality measures, use the EHR technology for the electronic exchange of health information to improve the quality of
care, and submit a plan on how to maintain and support the EHR technology.
CLINICAL EDUCATION DEMONSTRATION6
5
6
American Recovery and Reinvestment Act of 2009, Division A, Title IV, Subtitle C, § 13301.
American Recovery and Reinvestment Act of 2009, Division A, Title IV, Subtitle C, § 13301.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 6
Amount: The bill appropriates such sums as may be necessary to carry out the program. The Secretary may not provide more than 50
percent of the costs of any activity that is funded under this section, unless Congress is notified that economic conditions make this costsharing requirement detrimental to the program.
Timing for Distribution: The bill requires the Secretary to submit a report to the Committee on Health, Education, Labor, and Pensions
detailing specific projects established under this section and making recommendations based on an evaluation of the projects. The first
report must be submitted by the Secretary no later than 1 year after the enactment of the Act.
Standards for Distribution: The Secretary is authorized to create a demonstration program for awarding grants to medical, dental,
behavioral and mental health, and nursing schools, and to graduate medical education programs in medicine, osteopathic medicine,
dentistry, pharmacy, nursing, or physician assistance studies to integrate HIT into the clinical education of health care professionals.
Grantees would be required to submit a strategic plan and collect data on the effectiveness of the demonstration project. Grant funds may
not be used to purchase hardware, software, or services.
MEDICAL INFORMATICS EDUCATION GRANTS7
Amount: The bill appropriates such sums as may be necessary to carry out the program.
Timing for Distribution: No specific timeframe is stipulated in the bill. The Secretary must consult with the Director of the National
Science Foundation when providing this assistance.
Standards for Distribution: Health informatics education programs, including certification, undergraduate, and masters degree programs,
are eligible for funds. The bill directs priority to be given to existing programs and programs designed to be completed within six
months. Funds can be used for: (1) developing and revising curricula, (2) recruiting and retaining students, (3) acquiring equipment,
including testbed networks, and (4) establishing or enhancing bridge programs between community colleges and universities.
MEDICARE INCENTIVE PAYMENTS AND PENALTIES FOR PHYSICIANS8
7
American Recovery and Reinvestment Act of 2009, Division A, Title IV, Subtitle C, § 13301.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 7
Incentive Amount: Eligible physicians, who are considered “meaningful” HIT users, will receive incentive payments equal to 75 percent
of their allowable Part B charges but subject to caps. The incentive payments will be paid out for a five-year period and will be capped
for the first payment year at $18,000, if the first payment year is 2011 or 2012, and $15,000, if the first payment year is 2013. The
payment cap will decrease each year thereafter during the remaining years of the five-year period. (In total, an eligible professional,
beginning EHR use in 2011 or 2012, may receive up to $44,000 over a five year period. Payments may be made in an annual lump-sum
or in a series of smaller payments.) For physicians beginning EHR use in 2014, the incentive caps will be lower, and incentive payments
will not be made after 2016. Physicians, adopting EHRs after 2014, will not be eligible to receive incentive payments. Physicians, who
predominately provide services in areas designated as health professional shortage areas, will be subject to the above caps increased by
10 percent.
Penalty Amount: Penalties will be applied to eligible physicians who are not EHR users by 2015. These penalties will be applied through
reductions in the Medicare payment amount. The fee schedule amounts will be reduced by the following percentages: 1 percent in 2015
(or 2 percent, in the case of an eligible professional subject to the Electronic Prescribing payment adjustment under Section 1848(a)(5) of
the Social Security Act), 2 percent in 2016, 3 percent in 2017 and each subsequent year. The Secretary retains discretion to increase the
fee schedule percentage reduction in subsequent years by 1 percent each year (up to 5 percent) if he determines that less than 75 percent
of eligible professionals are meaningful EHR users by 2018. The Secretary may provide an exemption to professionals demonstrating
significant hardship in implementing HIT, but the exemption may not be granted for more than five years.
Timing for Distribution: Incentive payments will become available in 2011. Penalties will begin in 2015.
Standards for Distribution: Hospital-based physicians are not eligible for Medicare incentives or penalties under this section of the bill.
The bill also sets conditions under which incentive payments and penalties could be applied to physicians affiliated with Medicare
Advantage (MA) organizations. A “meaningful” EHR user is defined as an eligible professional who:
(i)
8
demonstrates to the Secretary that he or she is using certified EHR technology in a meaningful manner, which should include
electronic prescribing where appropriate (a professional may satisfy this requirement through means specified by the
American Recovery and Reinvestment Act of 2009, Division B, Title IV, Subtitle A, § 4101.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 8
(ii)
(iii)
Secretary which may include an attestation, submission of claims with appropriate coding, a survey response, other means of
reporting specified in the bill, or other means specified by the Secretary);
demonstrates that the EHR technology is connected in a way to improve the quality of care, such as promoting care
coordination, and;
reports clinical quality measures selected by the Secretary.
The Secretary may provide alternate means for meeting these requirements for professionals providing services in a group practice. The
Secretary is also required to improve the use of EHRs and health care quality by requiring more stringent measures for “meaningful” use
over time.
MEDICARE INCENTIVE PAYMENTS AND PENALTIES FOR HOSPITALS9
Incentive Amount: Eligible hospitals that are considered “meaningful” HIT users will be eligible for incentive payments for a four-year
period. Beginning in 2011, eligible hospitals would receive a base amount ($2 million), plus additional payments based on total
discharges, up to a maximum number of discharges. Payments would be adjusted by the hospital’s Medicare share (i.e. a number based
on a hospital’s Medicare patient mix), which would take into account the amount of charity care (i.e. the more charity care, the higher the
Medicare share value). Hospitals, beginning EHR use between 2011 and 2013, would receive the full payment amount during the first
payment year, 75 percent in the second payment year, 50 percent in the third, and 25 percent in the fourth. (Payments may be made in an
annual lump-sum or in a series of smaller payments.) Hospitals, beginning EHR use in 2014 or 2015, will receive lower incentive
payments for three and two years, respectively. A hospital, beginning EHR use after 2015, will not be eligible for incentive payments.
Penalty Amount: Beginning in 2015, hospitals that are not yet meaningful users of EHR systems would see reductions in their market
basket updates. The Secretary may provide an exemption to hospitals demonstrating significant hardship in implementing HIT, but the
exemption may not be granted for more than five years.
Timing for Distribution: Incentive payments will become available in 2011. Penalties will begin in 2015.
9
American Recovery and Reinvestment Act of 2009, Division B, Title IV, Subtitle A, § 4102.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 9
Standards for Distribution: Psychiatric, rehabilitation, and long-term care hospitals are excluded from receiving incentive payments for
meaningful EHR use. Critical access hospitals will receive HIT incentives by being allowed to expense the acquisition cost of HIT in a
single year for Medicare payment instead of depreciating it over a number of years. The bill would also establish payment incentives and
adjustments for eligible hospitals, under common corporate governance with a qualifying MA organization, that serve beneficiaries in an
MA plan offered by the organization. A “meaningful” EHR user is defined as an eligible hospital that:
(iv)
(v)
(vi)
demonstrates to the Secretary that it is using certified EHR technology in a meaningful manner, which should include
electronic prescribing where appropriate (a professional may satisfy this requirement through means specified by the
Secretary which may include an attestation, submission of claims with appropriate coding, a survey response, other means of
reporting specified in the bill, or other means specified by the Secretary);
demonstrates that the EHR technology is connected in a way to improve the quality of care, such as promoting care
coordination, and;
reports clinical quality measures selected by the Secretary.
The Secretary is also required to improve the use of EHRs and health care quality by requiring more stringent measures for “meaningful”
use over time.
MEDICAID FUNDING10
Amount: Physicians, nurse practitioners, and nurse mid-wives would be eligible to receive a 100 percent federal match of up to 85
percent of the costs of implementing and operating HIT. The bill limits the costs eligible for federal matching to $75,000 over a period
of five years, which would authorize a federal match of up to $63,750 for eligible professionals (up to $21,250 for aid in adopting,
implementing and upgrading EHR systems plus up to $8,500 each year for a five year period for operating and maintaining an EHR
system). Payments to hospitals, including children’s hospitals, acute care hospitals, federally qualified health centers and rural health
clinics, cannot exceed the amounts based on the Medicare incentive payment formula, with some modification. (States may not
contribute more than 50 percent of the aggregate amount in any year, and the payments must be spread out over at least three years.) The
bill also authorizes a 90 percent federal match to the states for administrative expenses they incur related to EHR technology payments.
10
American Recovery and Reinvestment Act of 2009, Division B, Title IV, Subtitle B, § 4201.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 10
Timing of Distribution: For purposes of carrying out this section, the bill appropriates to CMS $40 million for each year between 2009
and 2015 and $20 million for FY 2016.
Standards for Distribution: Eligible practitioners and providers include non-hospital-based physicians, nurse mid-wives, and nurse
practitioners and federally qualified health centers or rural health clinics (including those led by physician assistants) that have a patient
volume with at least a 30 percent Medicaid population. Children’s hospitals and acute care hospitals, with at least 10 percent of their
patient volume attributable to Medicaid, would also be eligible for Medicaid incentive payments. A non-hospital based pediatrician, with
at least a 20 percent Medicaid patient volume, would be eligible to receive up to two-thirds of the amount of other eligible professionals
in this section (i.e. $42,500). Any professional or hospital, accepting Medicaid funding under this provision, would have to waive the
right to Medicare EHR incentive payments.
PRIVACY PROVISIONS
Subtitle D of the conference agreement would expand the HIPAA privacy and security standards. Among other things, it would
establish a breach notification requirement for health information that is unsecured, strengthen enforcement of the HIPAA standards by
increasing the penalties for violations under the law, place new restrictions on marketing activities by health plans and providers, and
increase patient protections by allowing patients to request an accounting of disclosures of their electronic health information. Below we
have provided a side-by-side comparing the existing privacy and security standards and the provisions set forth in the conference
agreement.
Summary of the American Recovery and Reinvestment Act of 2009 Privacy Provisions
(Current as of February 13, 2009)
Provision
11
Current Law11
Conference Agreement
Congressional Research Service, The Health Information Technology for Economic and Clinical Health (HITECH) Act, Jan. 26, 2009.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 11
Definition of Breach
No current provision
Exceptions – A breach does not include:
(1) any unintentional acquisition, access, or use by an
employee or individual if made in good faith and
within the course and scope of the employment and
the information is not further acquired, accessed,
used, or disclosed by any person; or
(2) any inadvertent disclosure from an individual who
is otherwise authorized to access PHI at a facility
operated by a covered entity or business associate to
another similarly situated individual at the same
facility; and
(3) any such information received as a result of such
disclosure is not further acquired, accessed, used, or
disclosed without authorization by any person.
Definition of Breach (cont’d)
Application of Security
Provisions and Penalties to
Business Associates
Notification of Information
Breach
LEGAL02/31155328v1
Sec. 13400. Defines “breach” as the unauthorized
acquisition, access, use, or disclosure of protected health
information (PHI).
HIPAA civil and criminal
penalties apply to covered
entities. Covered entities are not
liable for, or required to monitor,
the actions of their business
associates.
HIPAA privacy and security
rules do not require covered
Sec. 13401. Applies the HIPAA security standards and the
civil and criminal penalties for violating those standards to
business associates in the same manner as they apply to
covered entities.
The Secretary will annually issue guidance, in consultation
with industry stakeholders, on the most appropriate security
safeguard technologies for protecting information.
Sec. 13402. In the case of a breach of unsecured PHI, a
covered entity must notify each individual whose
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 12
Notification of Information
Breach (cont’d)
entities to notify HHS or others
of a breach of the privacy,
security, or integrity of protected
health information (PHI).
Business associate contracts,
however, must include a
provision requiring business
associates to report to covered
entities if they become aware of
any security incident or any use
or disclosure of PHI that is not
provided for by the contract.
information has been, or is reasonably believed to have
been, breached. The method and content of the
notification is specified by the provision. For a breach of
unsecured PHI under the control of a business associate,
upon discovery of the breach, the business associate would
be required to notify the covered entity.
“Unsecured PHI” is PHI that is not secured through the use
of a technology or methodology identified by the Secretary
as rendering the information unusable, unreadable, or
indecipherable to unauthorized persons.
All breach notifications required by the covered entity and
business associate must be made no later than 60 days after
discovery (unless it would impede a criminal investigation
or national security).
The Secretary must also be notified by the covered entity of
such breaches. If more than 500 individuals are involved,
the Secretary must be notified immediately and notice must
be made to the local media. With respect to less than 500
individuals, the covered entity may report breaches on an
annual basis.
The Secretary must post publically a list of the covered
entities involved in breaches of more than 500 individuals.
The Secretary must promulgate interim final regulation
relating to the breach requirements no later than 180 days
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 13
following enactment to be effective 30 days following.
Privacy Education
Privacy Education (cont’d)
Application of Privacy Provisions
and Penalties to Business
Associates
Patient’s Privacy Rights
LEGAL02/31155328v1
The privacy rule requires each
covered entity to designate a
privacy official for the
development and
implementation of its policies
and procedures.
No later than 1 year following the enactment and annually
thereafter, the Secretary must report to Congress on the
nature and number of breaches for which the Secretary is
notified and the actions taken.
Sec. 13403. The Secretary will designate a “privacy
advisor” in each regional office of HHS to offer education
and guidance to covered entities and business associates.
The Office of Civil Rights (OCR) shall develop and
maintain a national education initiative to educate the
public about their privacy rights.
HIPAA civil and criminal
penalties apply to covered
entities. Covered entities are not
liable for, or required to monitor,
the actions of their business
associates.
Sec. 13404. Business associates would only be permitted to
use or disclose PHI if such action was in compliance with
their written contract.
The privacy rule establishes a
number of Federal privacy
rights, including: (1) the right of
access to one’s own PHI; (2) the
right to amend or supplement
Sec. 13405.
Applies the HIPAA privacy provisions and the civil and
criminal penalties for violating those standards to business
associates in the same manner as they apply to covered
entities.
Requested Restrictions on Certain Disclosures: Permits
individuals to request that their PHI regarding a specific
item or service not be disclosed by a covered entity to a
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 14
Patient’s Privacy Rights (cont’d)
one’s PHI; (3) the right to
request that a covered entity
restrict the use and disclosure of
one’s PHI for the purposes of
treatment, payment, or other
health care operations; and (4)
the right to an accounting of PHI
disclosures (other than for
treatment, payment, or health
care operations, or pursuant to an
authorization).
The privacy rule incorporates a
minimum necessary standard.
However, there are a number of
circumstances in which the
minimum necessary standard
does not apply, such as with
respect to disclosures or requests
by a health care provider for
treatment purposes.
Disclosures of a “limited data
set” for certain specified
purposes (e.g., research) are
permitted pursuant to a data use
agreements with the recipient. A
limited data set has most direct
identifiers removed and is
considered to pose a low privacy
LEGAL02/31155328v1
health plan for purposes of payment or health care
operations, unless otherwise required by law, if the
individual has paid in full out-of-pocket for the item or
service. Under these circumstances, the covered entity
must comply with the request.
Limiting Disclosures to the Limited Data Set or the
Minimum Necessary: With respect to the use, disclosure,
or request of PHI, covered entities must make reasonable
efforts to limit such PHI to the “limited data set” (as
defined by HIPAA) or the “minimum necessary” to
accomplish the intended purpose of such use, disclosure, or
request.
The Secretary shall issue guidance on what constitutes
“minimum necessary” no later than 18 months after
enactment. In issuing guidance relating to what constitutes
“minimum necessary,” the Secretary shall take into
consideration the information necessary to improve patient
outcomes and to detect, prevent, and manage chronic
disease.
Permits the covered entity or business associate to
determine what constitutes the minimum necessary to
accomplish the intended purpose of disclosures.
Accounting of Certain PHI: In the event that a covered
entity uses or maintains an electronic health record (EHR)
with respect to PHI, individuals will have the right to
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 15
risk.
receive an accounting of PHI disclosures made by covered
entities for treatment, payment, and health care operations
during the previous 3 years.
The Secretary must promulgate regulations on what
information must be included in the accounting within 6
months of adopting HIT technical standards on accounting
for disclosures. The regulations must take into account the
interest of individuals and the administrative burden.
Patient’s Privacy Rights (cont’d)
In response to a request, a covered entity must provide
either –
(1) an accounting for disclosures that are made by the
covered entity and by a business associate acting on
behalf of the covered entity; or
(2) an accounting for disclosures that are made by the
covered entity and a list of all business associates
acting on behalf of the covered entity. (A business
associate included on the list must provide the
accounting as required for covered entities if an
individual requests such accounting from the
business associate).
Covered entities that currently use EHR must comply with
this requirement with respect to disclosures of PHI made by
a covered entity on and after January 1, 2014. For covered
entities that acquire EHR after January 1, 2009, the
requirement will apply on January 1, 2011 or the date that
the covered entity acquires EHR.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 16
The Secretary may set a later effective date for current
users of EHR and users of EHR after January 1, 2009 if the
Secretary determines it to be necessary. However, in no
case, can the date be later than 2016 for current users or
2013 for other users.
Patient’s Privacy Rights (cont’d)
Prohibition on Sale of EHR or PHI: Clarifies that certain
uses and disclosures of PHI are not permitted without a
valid authorization, such as the sale of PHI, unless for –
(1) public health activities; (2) research and the price
charged reflects the costs of preparation and
transmittal data; (3) treatment of the individual
subject to any regulations the Secretary may
promulgate to prevent health information from
inappropriate access, use, or disclosure; (4) health
care operations; (5) activities performed by a
business associate pursuant to a business associate
agreement; (6) the provision of a copy of an
individual’s PHI to the individual; and (7) other
activities determined appropriate by the Secretary.
The Secretary must promulgate regulations to for this
section within 18 months of enactment, to be effective 6
months after promulgation. In promulgating the
regulations to carry out this prohibition, with respect to the
public health activities exception, the Secretary must
evaluate the impact of restricting the exception to require
that the price charged reflects the costs of the preparation
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 17
and transmittal of data relating to the public health activity,
including those conducted by the FDA. In addition, the
Secretary may apply this restriction if the Secretary
determines that such restriction would not impede public
health activities.
Patient’s Privacy Rights (cont’d)
Health Care Operations –
Marketing and Fundraising
“Health care operations” is
broadly defined and includes
activities, such as case
management, quality assessment,
underwriting, legal services,
business planning, customer
services, and fundraising.
As a general matter, a covered
entity may not use or disclose
health information for its own
marketing activities without
authorization. A communication
about a product or service to a
recipient to encourage the
LEGAL02/31155328v1
Access to Certain Information in Electronic Format:
Individuals may receive electronic copies of their PHI used
or maintained by a covered entity in electronic format if the
entity uses an EHR, at a cost not to exceed the entity’s
labor costs. An individual may also choose to direct the
covered entity to transmit copies of their information to an
entity or person designate by the individual, so long as the
choice is clear, conspicuous, and specific.
Sec. 13406.
Marketing: Clarifies the definition of marketing under
HIPAA. A marketing communication by a covered entity
or business associate that is about a product or service that
encourages recipients of the communication to purchase or
use the product or service is not considered a health care
operation, unless the communication relates to, for
example, a health-care related product or service, treatment
for an individual, or case management or care coordination.
Prohibits a covered entity or business associate from
receiving any payment for marketing communications
relating to a health care-related product or service,
treatment for an individual, or case management or care
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 18
Health Care Operations –
Marketing and Fundraising
(cont’d)
Personal Health Record (PHR)
Breach Notification Requirement
– PHR Vendors and Non-HIPAA
Covered Entities
recipient to purchase or use the
product or service is within the
definition of marketing.
However, marketing
communications made by a
covered entity (or its business
associate), for example, to
describe a health-care related
product or service, for treatment
of an individual; or for case
management or care
coordination are excluded from
this definition and, therefore, do
not require a patient’s
authorization, even if the
covered entity is paid by a third
party to engage in such
activities.
coordination unless –
(1) such communication describes only a drug or biologic
that is currently prescribed for the recipient of the
communication and any payment received by the
covered entity is reasonable in amount;
(2) the communication is made by a covered entity and the
covered entity obtains a valid authorization from the
recipient of the communication; or
(3) the communication is made on behalf of the covered
entity, and the communication is consistent with the
written contract between the business associate and
covered entity.
The HIPAA privacy and security
rules apply to covered entities
and, through written contracts, to
their business associates.
Sec. 13407. In the case that an individual’s unsecured PHR
identifiable information is breached, PHR vendors must
notify the affected individual and the Federal Trade
Commission (FTC). Third party service providers that
provide services to PHR vendors are required to notify the
vendor of any such breach.
A “reasonable cost” will be defined by the Secretary in
regulation.
Fundraising: The Secretary shall provide that individuals
may opt-out of any fundraising communication authorized
under the definition of “health care operations.”
“Unsecured PHR identifiable health information” is PHR
health information that is not protected through the use of a
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 19
technology or methodology specified in guidance issued by
the Secretary.
The FTC must also notify the Secretary of such breach.
Provides the FTC with the enforcement authority regarding
breaches of health information maintained by PHR
vendors, which will sunset when either the Secretary or the
FTC adopts privacy and security standards specific to
PHRs and other non-HIPAA covered entities.
Personal Health Record (PHR)
Breach Notification Requirement
– PHR Vendors and Non-HIPAA
Covered Entities (cont’d)
Business Associate Contracts
Criminal Penalties for Wrongful
Disclosures
Criminal Penalties for Wrongful
Disclosures (cont’d)
LEGAL02/31155328v1
The FTC must promulgate interim final regulations by not
later than 180 days after enactment.
Any subsequent legislation put forth by Congress
establishing new requirements for notification in the case of
a breach by non-covered entities or non-business associates
will supersede this section.
No current provision
Sec. 13408. Requires organizations that contract with
covered entities for the purpose of exchanging electronic
PHI, such as Health Information Exchanges, Regional
Health Information Organizations, E-Prescribing Gateways,
and vendors of PHRs who have entered contracts with
covered entities, to have business associate agreements
with those entities.
Under HIPAA, only covered
Sec. 13409. Amends HIPAA to clarify that criminal
entities can be found criminally
penalties for wrongful disclosure of individually
liable for wrongful disclosures of identifiable health information apply to individuals who
individually identifiable
without authorization obtain or disclose such information
information.
maintained by a covered entity, whether they are
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 20
Improved Enforcement
Improved Enforcement (cont’d)
LEGAL02/31155328v1
The Secretary is authorized to
impose civil monetary penalties
on any person failing to comply
with the privacy and security
standards.
Civil money penalties may not
be imposed if: (1) the violation
is a criminal offense under
HIPAA’s criminal penalty
provisions; (2) the person did not
have actual or constructive
knowledge of the violation; or
(3) the failure to comply was due
to reasonable cause and not to
willful neglect, and was
corrected within 30 days.
HIPAA’s criminal penalties
include fines of up to $250,000
and up to 10 years in prison for
disclosing or obtaining health
information with the intent to
sell, transfer or use it for
commercial advantage, personal
gain, or malicious harm.
employees or not.
Sec. 13410. Amends HIPAA to permit OCR to pursue an
investigation and the imposition of civil monetary penalties
against any individual for an alleged criminal violation of
the HIPAA standards if the Department of Justice has not
already prosecuted the individual.
Requires a formal investigation of complaints and the
imposition of civil monetary penalties for violations due to
willful neglect.
The Secretary, within 3 years of enactment, would be
required to establish by regulation (based on Government
Accountability Office (GAO) recommendations) a
methodology to distribute a percentage of any collected
penalties to harmed individuals.
Replaces HIPAA’s existing civil monetary penalties with
four tiers of penalties based on the level of knowledge of
the violation, the highest of which would impose a fine of
$50,000 per violation and up to $1,500,000 for all such
violations of an identical requirement or prohibition during
a calendar year.
Preserves the current requirement that a civil fine would
not be imposed if the violation was due to reasonable cause
and corrected within 30 days.
Authorizes state attorneys general to bring a civil action in
Federal district court against individuals who violate the
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 21
HIPAA privacy and security standards.
Compliance Audits
Preemption of State Law
The Secretary is authorized to
conduct compliance reviews to
determine whether covered
entities are complying with
HIPAA standards.
The HIPAA security standards
preempt any contrary provision
of state law, with certain
specified exceptions (e.g., public
health reporting). However, the
privacy rule does not preempt a
contrary provision of state law
that is more protective of patient
medical privacy.
Effective Date
Studies, Reports, and Guidance
LEGAL02/31155328v1
Any person who believes a
covered entity is not complying
with the privacy rule may file a
Permits the OCR to still use corrective action without a
penalty in cases where the person did not know, and by
exercising reasonable diligence would not have known,
about the violation.
Sec. 13411. Requires the Secretary to perform periodic
audits to ensure compliance with the HIPAA privacy and
security standards and the requirements set forth in this
legislation.
Sec. 4421. Applies the HIPAA preemption provisions to the
privacy subtitle of this bill and preserves the HIPAA
privacy and security standards to the extent they are
consistent with this subtitle.
Requires the Secretary, by rulemaking, to amend the
HIPAA standards as necessary to make them consistent
with the legislation’s privacy and security provisions.
Nothing in the privacy provisions will constitute a waiver
of any privilege otherwise applicable to an individual with
respect to the PHI of such individual.
Sec. 13423. Except as otherwise specified, the privacy and
security provisions would become effective 12 months after
enactment.
Sec. 13424. Requires that the Secretary submit an annual
report to Congress on the number and nature of complaints
of alleged violations and how they were resolved, including
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 22
complaint with HHS. HIPAA
does not require the Secretary to
issue a compliance report.
the imposition and amount of civil money penalties; the
number of audits performed; and other elements.
Requires the Secretary and FTC to conduct a study and
submit a report to Congress on the application of privacy
and security requirements to non-HIPAA covered entities.
Requires the Secretary to issue guidance on how best to
implement the requirements for the de-identification of
PHI.
Studies, Reports, and Guidance
(cont’d)
Requires the GAO to study and report on the disclosures of
PHI made for treatment purposes and best practices used by
entities and States for such disclosures.
Requires GAO to submit to Congress and the Secretary a
report on the impact of these privacy provisions on health
insurance premiums, overall health care costs, adoption of
EHRs by providers, reduction in medical errors, and other
quality improvements.
Requires the Secretary to study the definition of
“psychotherapy notes” with regard to including test data
that is related to direct responses, scores, items, forms,
protocols, manuals, or other materials that are part of a
mental health evaluation, as determined by a mental health
professional providing treatment or evaluation. The
Secretary may, based on the study, issue regulations to
revise such definition.
LEGAL02/31155328v1
Overview of the Health Information Technology Provisions in the Economic Stimulus Agreement
February 13, 2009
Page 23
LEGAL02/31155328v1