The toughened health information privacy provisions included in the American Recovery and Reinvestment Act of 2009 (ARRA) is intended to increase patients' acceptance of electronic medical records (EMRs).

New provisions will extend most Health Insurance Portability and Accountability Act privacy and security rules and civil penalty and liability terms—as well as the new breach notification mandates—to the "business associates" that medical care providers and insurers hire to perform duties such as billing and transcription services. The data breach provisions are to take effect in 12 months.

Covered entities are required to alert patients whenever a data breach exposes their protected information outside the entity, and to alert the public in the event of a breach affecting multiple patients.

They must also announce breaches on their public website when the exposure involves data on 10 or more patients. When a breach exposes the information of 500 or more, the institution must alert the local media.

The breach provisions offer an exemption for unintended exposures of patient data within a medical facility, such as when a doctor leaving a patient's record on a screen while he or she steps away to consult with another doctor on the case.

Covered Entities may still use patients' names and addresses for hospital fund raising, something that the original House bill would have ended. Under the enacted legislation, hospitals may send fund-raising letters to former patients as long as the letter includes a prominent section specifying how the individual may opt out of future fund-raising letters

Although there is a great deal of concern with regaqrd to the uses of patient records that become "de-identified" medical data, the ARRA does not require them to be logged.