Skip to Content

Summary of Health Privacy Provisions in the 2009 Economic Stimulus Legislation.

The American Recovery and Reinvestment Act of 2009 (ARRA, sometimes referred to as "the stimulus") included provisions making significant improvement in the privacy and security standards for health information. The provisions on privacy and security (generally in ARRA’s Title XIII, Subtitle D and some parts of Subtitle A) can be grouped into four broad categories:

  • Substantive changes to the HIPAA statue and privacy and security regulations
  • Changes in HIPAA enforcement
  • Provisions to address health information held by entities not covered by HIPAA (as either covered entities or business associates)
  • Miscellaneous: Administration/Studies/Reports/Educational Initiatives

For each set of changes, this summary indicates when the provision goes into effect and whether the Secretary is required to promulgate regulations or guidance or adopt technical standards. Appendisx A also sets forth an overall calendar with effective dates for various provisions and due dates for reports, regulations, and standards related to privacy.