While we are still making our way through all 563 pages of the regulations and related
regulatory comments (and will have a more detailed analysis shortly
in this space), here are some of the highlights we (and the HHS press release) have noted so far:
Many of HIPAA's privacy and security requirements will now
directly apply to business associates;
Business associates may also be liable for the increased
penalties for noncompliance based on the level of negligence up to
a maximum penalty of $1.5 million;
Subcontractors of business associates will automatically become
business associates themselves;
HIPAA won't protect IIHI for individuals who have been
deceased for over 50 years;
The definition of breach is changed so that an impermissible
use or disclosure of protected health information is
presumed to be a breach unless the covered entity
or business associate demonstrates that there is a low probability
that the protected health information has been compromised.
Breach notification is not required if it is demonstrated
through a risk assessment that there is a low probability that the
protected health information has been compromised, rather than
demonstrate that there is no significant risk of harm to the
individual as was provided under the interim final rule.
The final rule also identifies the more objective factors
covered entities and business associates must consider when
performing a risk assessment to determine if PHI has been
compromised and breach notification is necessary.
When individuals pay for their care in cash, they can instruct
their provider not to share information about their treatment with
their health plan;
Patients can request a copy of their electronic medical record
in an electronic form;
There are new limits on how information is used and disclosed
for marketing and fund-raising purposes; in particular, the sale of
an individual's health information without permission is
An individuals' ability to authorize the use of his/her
health information for research purposes will be streamlined;
It will be easier for parents and others to give permission to
share proof of a child's immunization with a school; and
The final rule prohibits using or disclosing protected health
information that is genetic information for underwriting purposes
by all health plans that are covered entities under the HIPAA
Privacy Rule, including those to which GINA does not expressly
apply, except with regard to issuers of long term care
The final rule is effective on March 26, 2013; the compliance
date is 180 days thereafter (September 22, 2013). Covered entities
and business associates will have up to one year after the 180-day
compliance date to modify contracts in order to comply with the new
To view Foley Hoag's Security, Privacy and The Law
Blog please click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Join NECEC— the premier voice of businesses building a world-class clean energy hub in the Northeast—and Foley Hoag’s Energy and Cleantech practice for a not-to-be-missed discussion with offshore wind developers, leading public officials, investors and experts at the cutting edge of the Northeast’s emerging offshore wind market.
After decades of speculation about offshore wind’s future in the United States, the industry that has long powered grids in Europe has finally arrived in the Northeast. In the last year America’s first offshore wind project--off the coast of Rhode Island--started spinning and delivering power to the grid, Massachusetts Governor Charlie Baker signed into law a bill authorizing the procurement of 1,600 megawatts of offshore wind, and New York Governor Andrew Cuomo committed to 2,400 megawatts of offshore wind off the coast of New York by 2030. Meanwhile, major utilities have announced agreements with developers to purchase energy generated from the projects planned for the eastern seaboard.
The questions that BYOD policies seek to answer are these: (1) Who owns your device? (2) Who owns the information on your device? (3) What happens if that information (or the device itself) gets lost or stolen?
Orrick Cybersecurity & Data Privacy lawyers Emily Tabatabai and Shea Leitch co-authored an article for the International Association of Privacy Professionals' Privacy Tracker on the continued expansion...
He advises on handling internal data breach investigations; supervising forensic examinations and coordinating with law enforcement in investigations of criminal attacks; and regulatory investigations and enforcement actions by the FTC and HHS/OCR.
Privacy advocates in both the United States and Europe are urging regulators to take a hard look at the privacy ramifications of internet-connected toys, which are often conventional toys augmented by companion mobile applications.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).