One Act, Two Rules

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is actually two separate rules. The Privacy Rule governs what information must be protected. The Security Rule governs HOW information must be protected. The Privacy Rule has been in place for a decade and is well understood. The Security Rule did not go into force until 2006, and had no enforcement until 2008. In practice, the Security Rule applied only to health plans and hospitals, not to labs, clinics or doctor's offices. That all changed in February of 2009.

Requirements and Penalties

On February 17, 2009 President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA). This bill authorizes $19 billion in medical subsidies, increases penalties for release of protected health information, greatly expands the legal right to sue under HIPAA, requires public notification of data breaches and makes business associates of covered entities directly responsible for full compliance with the HIPAA security rule.

HIPAA Security Rule Compliance

Directions for HIPAA security rule compliance under the ARRA are contained in the National Institute of Standards and Technology (NIST) "Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP 800-66 REV 1)." A special benefit of 800-66 compliance is that it removes the requirement for public notification of data breaches. Page 10 of the April 2009 HHS guidance document on ARRA states that compliance with 800-66 safeguards will "create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required."

For Information on how to achieve HIPAA Compliance with ACR 2 Solutions, please call 678-261_-8181 or email sales@acr2solutions.com

Home  |  Products  |  Privacy  |  Terms of Use  |  Partners  |  News & Events  |  About
Copyright © 2006-2020 ACR 2 Solutions. All rights reserved.