Section XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009 explains the consequences for liable entities in the case of a breach. Patients must be notified via mail within 60 days, Health and Human Services must be notified, and, if the breach involves more than 500 patients, the news media must also be notified. Individuals must also be provided a way to contact the company to discuss the breach.

Under the legislation, patients can also request an audit trail showing all disclosures of their health information made through an electronic record.

Much of the privacy language was added in at the 11th hour, during a held on February 12th, . Obama signed the bill into law on February 17th.

"Our medical records are among the most sensitive information we have about ourselves, so it is essential that health IT systems have strong protections to protect patients' privacy," Rep. Edward Markey, D-Mass., co-chair of the Congressional Privacy Caucus, told Nextgov.com. Markey reportedly claimed responsibility for introducing the privacy language.

Consumer Watchdog, a Washington D.C.-based consumer advocacy group, said the additions were a victory for patient privacy rights activists.