What are the key privacy provisions in the stimulus package?
The economic stimulus package made numerous changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, affecting electronic (and in some cases) paper records containing patient-identifiable health information (PHI). Practices are required to: Account for certain protected health information disclosures if the covered entity uses EHR. Practices using an EHR are required to track all disclosures for treatment, payment and health care operations. Patients would have the ability to request disclosures for up to three previous year Notify (within 60 days) each patient (or next of kin) whose PHI has been disclosed due to a breach. Practices must notify patients by letter, and, if more than 500 patients are involved, notify local media and HHS (for Web posting) Restrict disclosure of PHI to a health plan for purposes other than treatment, if requested by a patient, who paid out-of-pocket in full for health care services or items provided by a given
