Congress, under the Amercian Recover and reinvestment Act (ARRA, Pub. L. No. 111-5), has linked stimulus incentives to help doctors and health care providers implement electronic health recrods, to stricter security and privaacy rules.

Under the American Recovery and Reinvestment Act (ARRA, Pub. L. No. 111-5), the government will begin paying incentives to physicians and hospitals that become meaningful users of HIT in 2011. Along with the $20 billion in funding for such incentives, Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), made significant changes to the HIPAA privacy and security rules.

The Department of Health and Human Services issued guidance April 17 on the technologies and methodologies to secure health information and to prevent harm by rendering such information "unusable, unreadable, or indecipherable to unauthorized individuals."

As we have noted in other posts, the new HIPAA rules also create a federal requirement for security breach notification for the health care industry, and creates a "safe harbor"   from notification.

State attorneys general have explicit authority to enforce HIPAA and they new tiered penalty strucutre ranges from $25,000 to $1.5 millino in fines.

The administration is hoping that the increaed enforcement will help renew an emphasis on how employees access and use healtch care information.