Timeline of HIPAA Changes
Upon enactment (February 16, 2009) See
the American Recovery and Reinvestment Act of 2009 for the following
Application of new tiered civil penalties based on
the nature of HIPAA violations, up to $50,000 per violation and an
annual maximum of $1.5 million. (Section 13410)
Enforcement by State Attorneys General for offenses
occurring post enactment (Section 13410e). State Attorneys General
may now bring suits seeking statutory damages and attorney's fees
for HIPAA violations. Previously, such enforcement was exclusively
limited to the Office of Civil Rights (OCR) within the federal
Department of Health and Human Services (HHS).
Within 60 days of enactment (April 18, 2009)
Within 180 days of enactment (August 16, 2009)
HHS and the Federal Trade Commission (FTC) will
promulgate interim final regulations on notification of breaches.
The FTC rules will apply to breach notification by Personal Health
Records (PHRs) that are not covered by HIPAA or Business Associate
Agreements. (Section 13402. 13407) Issued August 24, 2009
Within 210 days of enactment (September 16, 2009)
This is the date on which the breach notification
provision becomes effective (Section 13402). This is 30 days after
HHS and the FTC issue interim final regulations about breach
notification. *This assumes final interim final regulations are
issued, if not, this provision becomes effective 30 days after the
interim final regulations are promulgated.
By December 31, 2009
Due within one year post enactment (February 17,
The Secretary will appoint a Chief Privacy Officer.
OCR and HHS will launch an education initiative to
improve public transparency on the use of health information.
The Government Accountability Office (GAO) will
report on best practices for disclosures for treatment and use of
electronic informed consent. (Section 13424).
HHS will report on and provide guidance on
de-identification. (Section 13424c).
Covered entities must enter into Business Associate
Agreements with PHRs, Health Information Exchanges (HIEs), and other
services that handle projected health information. (Section 13405e)
HHS will report on guidance on the effective
technical safeguards for carrying out the HIPAA security rule.
HHS and the FTC will report on privacy and security
requirements for PHR vendors and applications.
One year post enactment (February 17, 2010)
HHS and the Office of Civil Rights clarify
application of criminal penalties for non-covered entities. (Section
HHS to issue rules on which entities are required to
be business associates. (Section 13401)
Right to restrict disclosures to health plans for
services paid for out of pocket. (Section 13405a)
HHS Secretary required to conduct periodic
audits of entities covered by HIPAA. (Section 13411)
Right of electronic access of records by patients
takes effect. (Section 13405e)
Within 18 months of enactment (August 17, 2011)
24 months post enactment (February 17, 2011)
GAO will report on the impact of ARRA. (Section
Initial deadline for complying with new accounting
and disclosure rules for information kept in EHRs acquired before
January 1, 2009. (Section 13405c)
Last updated: July 12, 2010