UW logo
Human Subjects Division (HSD)


Changes to the HIPAA Regulations about Health Care Records

Nov 3, 2009 at 8:32am

New requirement.  Effective September 23, 2009, the American Recovery and Reinvestment Act (ARRA) added a new requirement to the HIPAA regulations about protected health care information (such as medical records).  UW Medicine is now required to inform patients or research subjects when their medical records are inappropriately accessed by UW workforce members (including UW researchers).  Prior to this time, patients and subjects have been notified about inappropriate disclosures.  Reporting inappropriate accesses is a significant change. 

There can be stiff federally-imposed penalties for failing to comply with this new addition to the HIPAA regulations, or for failing to report the discovery of an inappropriate access. 

Compliance audits.  Each access to a UW on-line medical record is electronically recorded and may be audited to verify that the access is appropriate.  The UW Medicine Privacy Program does 40 random audits every week to verify appropriate access.  This is in addition to a variable number of focused audits that are directed toward a specific member or segment of the UW workforce, or toward a specific patient or patient population.

More HIPAA changes are coming.  Though most researchers think of ARRA as the federal "stimulus funding" legislation, the ARRA also includes many significant additions or revisions to the HIPAA regulations.  HSD will inform campus researchers about each of these changes, and their impact, as the implementation date for a given change draws near.