News & Updates

← Back to News & Updates

Privacy Provisions of Stimulus Act - Impact to Brokers

Nov 03, 2009

The American Recovery and Reinvestment Act of 2009 ("ARRA," also known as the "Stimulus Act"), signed into law on February 17, 2009, includes a number of privacy provisions that directly impact brokers and other Business Associates (BAs). Significant changes affect the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

Changes to Privacy Provisions
While increased fines associated with certain non-compliance mandates are already in effect, additional rules regarding personal health information are effective September 23, 2009. You should be aware of the following privacy provision changes:


Effective Dates 



Effective February 17, 2009 

Depending on the severity of the violation, non-compliance fines could range from $100 per violation to $1.5 million aggregate for identical violations. 

Security breach requirements 

September 23, 2009 

A new federal security breach rule requires disclosure to the affected member(s) when protected health information (PHI) is disclosed to an unintended party. As a BA, you are required to report breaches to covered entities.

Direct responsibility for non-compliance 

February 2010 

You will become directly accountable for complying with HIPAA's security and privacy rules. You will be required to sign a new BA agreement that reflects these changes. 

Further restrictions on usage of patient information 

February 2010 

Changes to the Minimum Necessary Rule require Anthem Blue Cross to use limited data sets, internally and externally, when possible.  Limited data sets do not contain common individual identifiers such as name, address and birth date.  Updates about changes to privacy provisions will be communicated as new information becomes available.


February 2011 

The ARRA allows state Attorney General enforcement in addition to federal regulatory enforcement. 

Security Breach Notice Requirements
In order to comply with the new security breach notice requirements, you will be required to inform Anthem Blue Cross of:

Please report these breaches to Anthem as soon as possible but no later than the next business day.

Examples of Reportable Disclosures
You must report to
Anthem all disclosures of member-protected health information to an unintended recipient.   Examples include:

How to Report Privacy and Security Breaches
All disclosures must be reported to
Anthem. To eliminate human error, brokers should report security breaches to the health plan service units. These associates will ask for details on the nature of the security breach, and will initiate the reporting process. If you have questions about the breach reporting process, contact your sales representative.

Brokers will receive a communication later this year with instructions for executing new BAAs.    

Additional information on the privacy provisions can be found in the Frequently Asked Questions by clicking here.

Privacy Policy