While we are still making our way through all 563 pages of the regulations and related
regulatory comments (and will have a more detailed analysis shortly
in this space), here are some of the highlights we (and the HHS press release) have noted so far:
Many of HIPAA's privacy and security requirements will now
directly apply to business associates;
Business associates may also be liable for the increased
penalties for noncompliance based on the level of negligence up to
a maximum penalty of $1.5 million;
Subcontractors of business associates will automatically become
business associates themselves;
HIPAA won't protect IIHI for individuals who have been
deceased for over 50 years;
The definition of breach is changed so that an impermissible
use or disclosure of protected health information is
presumed to be a breach unless the covered entity
or business associate demonstrates that there is a low probability
that the protected health information has been compromised.
Breach notification is not required if it is demonstrated
through a risk assessment that there is a low probability that the
protected health information has been compromised, rather than
demonstrate that there is no significant risk of harm to the
individual as was provided under the interim final rule.
The final rule also identifies the more objective factors
covered entities and business associates must consider when
performing a risk assessment to determine if PHI has been
compromised and breach notification is necessary.
When individuals pay for their care in cash, they can instruct
their provider not to share information about their treatment with
their health plan;
Patients can request a copy of their electronic medical record
in an electronic form;
There are new limits on how information is used and disclosed
for marketing and fund-raising purposes; in particular, the sale of
an individual's health information without permission is
An individuals' ability to authorize the use of his/her
health information for research purposes will be streamlined;
It will be easier for parents and others to give permission to
share proof of a child's immunization with a school; and
The final rule prohibits using or disclosing protected health
information that is genetic information for underwriting purposes
by all health plans that are covered entities under the HIPAA
Privacy Rule, including those to which GINA does not expressly
apply, except with regard to issuers of long term care
The final rule is effective on March 26, 2013; the compliance
date is 180 days thereafter (September 22, 2013). Covered entities
and business associates will have up to one year after the 180-day
compliance date to modify contracts in order to comply with the new
To view Foley Hoag's Security, Privacy and The Law
Blog please click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A data breach is a business crisis. What should you do?
Learn first-hand as Foley Hoag LLP and PwC walk you through the practical and legal aspects of responding to a data security incident. From understanding how to be prepared to thinking through best practices, this webinar is designed to help you get a handle on an emergency that every business must confront.
Foley Hoag will present a 60-minute webinar onWednesday, May 3 at 12:30 pm EDT offering guidance for in-house counsel regarding the different types of intellectual property that may protect product configurations and packaging in the United States, and the interplay among these different forms of IP, their applicability, and their limitations.
Product configuration and packaging play an integral part in consumer choice and can often set a particular product apart from its competition on the store shelf. Because companies heavily invest in creating unique product designs and packaging that encourage brand association, business owners should also consider protecting those investments as intellectual property.
Join NECEC— the premier voice of businesses building a world-class clean energy hub in the Northeast—and Foley Hoag’s Energy and Cleantech practice for a not-to-be-missed discussion with offshore wind developers, leading public officials, investors and experts at the cutting edge of the Northeast’s emerging offshore wind market.
After decades of speculation about offshore wind’s future in the United States, the industry that has long powered grids in Europe has finally arrived in the Northeast. In the last year America’s first offshore wind project--off the coast of Rhode Island--started spinning and delivering power to the grid, Massachusetts Governor Charlie Baker signed into law a bill authorizing the procurement of 1,600 megawatts of offshore wind, and New York Governor Andrew Cuomo committed to 2,400 megawatts of offshore wind off the coast of New York by 2030. Meanwhile, major utilities have announced agreements with developers to purchase energy generated from the projects planned for the eastern seaboard.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
At last week's Health Care Compliance Association's annual "Compliance Institute," Iliana Peters, HHS Office for Civil Rights' Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR's current and future endeavors.
The challenges that come along with securing sensitive information are unprecedented. It has become extremely difficult to protect data which is stored electronically, and breaches have unfortunately become a frequent occurrence.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).