Department of Health Services Logo

 

Wisconsin Department of Health Services

HIPAA Home

Overview

HIPAA  Privacy Practices Notices and Forms

DHS Programs and HIPAA

Acronyms, Terms and Definitions

Resources

Search HIPAA Now

Timeline of HIPAA Changes

Upon enactment (February 16, 2009) See the American Recovery and Reinvestment Act of 2009 for the following section references.

  • Application of new tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million. (Section 13410)

  • Enforcement by State Attorneys General for offenses occurring post enactment (Section 13410e). State Attorneys General may now bring suits seeking statutory damages and attorney's fees for HIPAA violations. Previously, such enforcement was exclusively limited to the Office of Civil Rights (OCR) within the federal Department of Health and Human Services (HHS).

Within 60 days of enactment (April 18, 2009)

  • HHS Secretary will issue guidance on methodologies and technologies that render information unreadable. (Section 13402) Issued April 17, 2009

Within 180 days of enactment (August 16, 2009)

  • HHS and the Federal Trade Commission (FTC) will promulgate interim final regulations on notification of breaches. The FTC rules will apply to breach notification by Personal Health Records (PHRs) that are not covered by HIPAA or Business Associate Agreements. (Section 13402. 13407) Issued August 24, 2009

Within 210 days of enactment (September 16, 2009)

  • This is the date on which the breach notification provision becomes effective (Section 13402). This is 30 days after HHS and the FTC issue interim final regulations about breach notification. *This assumes final interim final regulations are issued, if not, this provision becomes effective 30 days after the interim final regulations are promulgated.

By December 31, 2009

  • HHS must adopt through rulemaking the initial prioritized set of standards which should include the accounting for disclosures. (Section 3002b)

Due within one year post enactment (February 17, 2010)

  • The Secretary will appoint a Chief Privacy Officer. (Section 3001)

  • OCR and HHS will launch an education initiative to improve public transparency on the use of health information. (Section 13403)

  • The Government Accountability Office (GAO) will report on best practices for disclosures for treatment and use of electronic informed consent. (Section 13424).

  • HHS will report on and provide guidance on de-identification. (Section 13424c).

  • Covered entities must enter into Business Associate Agreements with PHRs, Health Information Exchanges (HIEs), and other services that handle projected health information. (Section 13405e)

  • HHS will report on guidance on the effective technical safeguards for carrying out the HIPAA security rule. (Section 13401c)

  • HHS and the FTC will report on privacy and security requirements for PHR vendors and applications.

One year post enactment (February 17, 2010)

  • HHS and the Office of Civil Rights clarify application of criminal penalties for non-covered entities. (Section 13409)

  • HHS to issue rules on which entities are required to be business associates. (Section 13401)

  • Right to restrict disclosures to health plans for services paid for out of pocket. (Section 13405a)

  •  HHS Secretary required to conduct periodic audits of entities covered by HIPAA. (Section 13411)

  • Right of electronic access of records by patients takes effect. (Section 13405e)

Within 18 months of enactment (August 17, 2011)

  • HHS guidance on minimum necessary data. (Section 13405c)

  • Regulations regarding sale of data prohibition which take effect 6 months post promulgation. (Section 13405a)

By 2011

  • Initial deadline for complying with new accounting and disclosure rules for information kept in Electronic Health Records (EHRs) acquired after January 1, 2009. (Section 13405c)

24 months post enactment (February 17, 2011)

  • Clarification of ability to pursue civil penalties when criminal penalties are not pursued. (Section 13405)

By 2012

  • Regulations for methodology for distributing penalties or settlement money to harmed individuals. (Section 13410)

By 2013

  • Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009. (Section 13405c)

By 2014

  • GAO will report on the impact of ARRA. (Section 13424)

  • Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009. (Section 13405c)

By 2016

  • Extended deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009. (Section 13405c)

 

Last updated:  July 12, 2010