Tuesday, March 17, 2009

The Timeline for ARRA Privacy Provisions

As a valuable reference tool, please feel free to circulate and use this specially bookmarked PDF of ARRA, (in Acrobat just click on View, Navigation Panels, Bookmarks to navigate the sections of the bill). Thanks to Robin Raiford of Eclipsys for creating it.

The timeline below is based on work by the Markle Foundation and the Center for Democracy and Technology. Thanks for their effort!

Upon enactment (February 16, 2009)
*Application of new tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410)
*Enforcement by State Attorney Generals for offenses occurring post enactment (Section 13410e)

Within 45 days of enactment (April 3, 2009)
*Appointment of HIT Policy Committee members (Section 3002b)

Within 60 days of enactment (April 18, 2009)
*HHS Secretary will issue guidance on methodologies and technologies that render information unreadable (Section 13402)

Within 180 ays of enactment (August 16, 2009)
*HHS and the Federal Trade Commission will promulgate interim final regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA or Business Associate agreements (Section 13402, 13407)

By December 31, 2009
*HHS must adopt through rulemaking the initial prioritized set of standards which should include the accounting for disclosures (Section 3002b)

Due within one year post enactment (February 17, 2010)
*The Secretary will appoint a Chief Privacy Officer (Section 3001)
*The Office of Civil Rights and HHS will launch an education initiative to improve public transparency on the use of health information (Section 13403)
*The Government Accountability Office will report on best practices for disclosures for treatment and use of electronic informed consent (Section 13424)
*HHS will report on and provide guidance on de-identification (section 13424c)
*Covered entities must enter into Business Associate Agreements with PHRs, HIEs, and other services that handle projected health information (Section 13405e)
*HHS will issue rules on opting out of fundraising solicitations (Section 13406)
*HHS will report on guidance on the effective technical safeguards for carrying out the HIPAA security rule (Section 13401c)
*HHS and the Federal Trade Commission will report on privacy and security requirements for PHR vendors and applications

One year post enactment (February 17, 2010)
*HHS and the Office of Civil Rights clarify application of criminal penalties for non-covered entities (Section 13409)
*HHS to issue rules on which entities are required to be business associates (Section 13401)
*Right to restrict disclosures to health plans for services paid for out of pocket (Section 13405a)
*HHS Secretary required to conduct periodic audits of entities covered by HIPAA (Section 13411)
*Right of electronic access of records by patients takes effect (Section 13405e)

Within 18 months of enactment (August 17, 2010)
*HHS guidance on minimum necessary data (Section 13405c)
*Regulations regarding sale of data prohibition which take effect 6 months post promulgation (Section 13405a)

By 2011
*Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 (Section 13405c)

24 months post enactment (February 17, 2011)
*Clarification of ability to pursue civil penalties when criminal penalties are not pursued (Section 13405)

By 2012
*Regulations for methodology for distributing penalties or settlement money to harmed individuals (Section 13410)

By 2013
*Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 (Section 13405c)

By 2014
*GAO will report on the impact of ARRA (Section 13424)
*Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 (Section 13405c)

By 2016
*Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 (Section 13405c)

7 comments:

Ahier said...

Check out the HHS Recovery Webcast

http://www.hhs.gov/recovery/webcast_captioned.html

Jana Aagaard said...

You need to add September 16, 2009 as the date on which the breach notification provision becomes effective. (Section 13402) This is 30 days after DHHS and the FTC issue interim final regulations about breach notification.

John Halamka said...

Thanks Jana - very helpful!

Unknown said...

I agree with Jana that something should be added regarding the effective date of the breach notification provisions, but it may not be 9/16/09 if the interim final regulations are promulgated before the 180-day deadline to do so. Perhaps it could be something like "Sept. 16, 2009, or 30 days after the interim final regulations are promulgated, whichever comes earlier." Thank you for your work on the timeline.

John said...

I realize this isn't quite on topic but in reading the various provisions of section 13400 I am bothered by having yet another definition of what a data breach is. Almost every state has spelled out (differing) defintions of what a data breach is, while the feds have virtually no codified definition ourside of OMB M-07-16. It seems while it may not be possible to avoid such distinctions, any effort to minimize multiple definitions of what a data breach is would go a long way to keeping things understandable and manageable for citizens and businesses.

I don't mean to try and bolix things up, but I can see a lot of confusion over classifying (in order to respond) a data exposure incident involving a mix of medical and non-medical PII.

It seems smart folks are working on this, I just hope they don't build a medical information data breach "silo" that now competes with other data breach laws and regs rather than complement.

Anonymous said...

Its really very interesting blog..i will always grateful to you for information posted in this blog.
Learn here about sympathy words

Football Matches said...

I agree with Jana that something should be added regarding the effective date of the breach notification provisions, but it may not be 9/16/09 if the interim final regulations are promulgated before the 180-day deadline to do so. Perhaps it could be something like "Sept. 16, 2009, or 30 days after the interim final regulations are promulgated, whichever comes earlier." Thank you for your work on the timeline.


Recep Deniz MD

DoktorTR.Net