February 23, 2009
The American Recovery and Reinvestment Act of 2009 extends direct HIPAA enforcement to benefit consultants, third-party administrators, and disease management and wellness program providers. "The requirement in the new law is the first time the U.S. government has addressed the issue of notification in the event of personal information security breaches," said Lisa Sotto, who heads the privacy and information management practice. "While more than 40 states have security breech notification laws, only two—Arkansas and California—govern notification of unauthorized disclosure of personal health information." Sotto focuses on privacy, data security and information management issues.