ARRA: A Whole New World

By Mark Brousseau

Last year was a year of transition for HIPAA, medical privacy and medical banking, Richard D. Marks of McLean, VA-based Patient Command, Inc. (www.patientcommand.com), told attendees this afternoon at the Medical Banking Project Boot Camp at the HIMSS10 conference in Atlanta.

“ARRA changes the rules for security of health information in the United States,” Marks said. “It creates an entirely new framework because it changes HIPAA so much and because it changes privacy in medical records. And, most significantly, it changes the whole approach to enforcement.”

“It’s fair to say that for the last decade, there has not been any real attempt on the part of the federal government to enforce HIPAA,” Marks explained. “ARRA changes that. What it brings into law, for the first time, is the hierarchy of diligence and culpability. There are increased, tiered civil and criminal monetary penalties, topping out at $50,000 per violation, with an annual limit of $1,500,000. These numbers are enough to get your attention. But the statute also includes civil and criminal liability for individuals, as well as organizations. Which individuals, you ask? Well, it could be you! And some people won’t figure this out, and you will see some prosecutions,” Marks predicted.

Integrated health information security is inherent in ARRA, Marks added.

References in business associate contracts now, by law, apply mutually to covered entities and business associates, Marks pointed out. “The impact of that is to rebalance all of the risk allocation that is in these agreements, and it creates a whole new set of possibilities for liabilities. Some folks will be less affected than others. But some of you will be affected will be enormously,” Marks said.

For instance, security is now an active responsibility of the board of directors and senior executives, if you are doing anything that touches healthcare, Marks said. “If you’re a public company you’ve really go to ask yourself how you do disclosure when you have to take on a much greater risk for your information systems,” Marks said. “What this all means is that you must have integrated, shared systems security that is comprehensive and fast, and upgraded from what you now have.”

Some of the changes in ARRA won’t go into effect until 2011. “But some of this is in effect now, because people, such as ambitious state attorneys general, are going to start enforcing HIPAA,” Marks said. “The bottom line is that ARRA makes it a whole new world in healthcare.”