Final answer:
The HITECH Act under ARRA amended HIPAA to make business associates directly liable for compliance with HIPAA's security and privacy rules, thereby increasing legal and financial risks and operational complexity due to the need to implement comprehensive protective measures for health records.
Step-by-step explanation:
The changes to the Health Insurance Portability and Accountability Act (HIPAA) under the American Recovery and Reinvestment Act (ARRA), specifically via the Health Information Technology for Economic and Clinical Health (HITECH) Act, introduced new security requirements for business associates. These changes require business associates who handle protected health information (PHI) on behalf of covered entities to comply with HIPAA's security and breach notification rules. This made it riskier to be a business associate since they could now be held directly liable for non-compliance and subject to the same penalties as covered entities, thus increasing legal and financial risks.
Furthermore, it became more cumbersome for business associates because they had to adopt new administrative, physical, and technical safeguards, train staff on compliance, and possibly modify contracts to ensure HIPAA compliance in handling health records. New obligations expanded their scope of responsibility and required more rigorous data security measures, heightening the complexity of their operations and potentially increasing operational costs.