On January 17, 2013, U.S. Department of Health and Human
Services Secretary Kathleen Sebelius announced the final omnibus
rule that among other things (1) increases patient privacy
protections; (2) provides individuals with new rights to receive a
copy of their electronic medical record in an electronic form;
and (3) provides individuals with the right to instruct their
provider not to share their information about their treatment with
their health plan when they pay in cash. The new rule
formally expands patient privacy and security requirements to
business associates, contractors and subcontractors. The rule
also strengthens the government's ability to enforce the law
with increased penalties for noncompliance based on the level of
negligence. Penalties are increased up to a maximum penalty
of $1.5 million per violation.
In announcing the new patient privacy protections, HHS Secretary
Sebelius recognized that "Much has changed in health care
since HIPAA was enacted over fifteen years ago." "The new
rule will help protect patient privacy and safeguard patients'
health information in an ever expanding digital age."
The National Institute of Standards and Technology has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations, and this marks a very important release in the world of data privacy controls and standards.
The obligations of hedge funds, investment managers and service providers to protect confidential information relating to investors and avoid breaches of data privacy legislation is increasingly in focus.
In a recently released decision from the U.S. District Court for the Southern District of Florida, Mais v. Gulf Coast Collection Bureau, et al., Judge Robert N. Scola, Jr., granted in part and denied in part cross motions for summary judgment in a putative class action before considering the issue of class certification.
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet).