While we are still making our way through all 563 pages of the regulations and related
regulatory comments (and will have a more detailed analysis shortly
in this space), here are some of the highlights we (and the HHS press release) have noted so far:
Many of HIPAA's privacy and security requirements will now
directly apply to business associates;
Business associates may also be liable for the increased
penalties for noncompliance based on the level of negligence up to
a maximum penalty of $1.5 million;
Subcontractors of business associates will automatically become
business associates themselves;
HIPAA won't protect IIHI for individuals who have been
deceased for over 50 years;
The definition of breach is changed so that an impermissible
use or disclosure of protected health information is
presumed to be a breach unless the covered entity
or business associate demonstrates that there is a low probability
that the protected health information has been compromised.
Breach notification is not required if it is demonstrated
through a risk assessment that there is a low probability that the
protected health information has been compromised, rather than
demonstrate that there is no significant risk of harm to the
individual as was provided under the interim final rule.
The final rule also identifies the more objective factors
covered entities and business associates must consider when
performing a risk assessment to determine if PHI has been
compromised and breach notification is necessary.
When individuals pay for their care in cash, they can instruct
their provider not to share information about their treatment with
their health plan;
Patients can request a copy of their electronic medical record
in an electronic form;
There are new limits on how information is used and disclosed
for marketing and fund-raising purposes; in particular, the sale of
an individual's health information without permission is
An individuals' ability to authorize the use of his/her
health information for research purposes will be streamlined;
It will be easier for parents and others to give permission to
share proof of a child's immunization with a school; and
The final rule prohibits using or disclosing protected health
information that is genetic information for underwriting purposes
by all health plans that are covered entities under the HIPAA
Privacy Rule, including those to which GINA does not expressly
apply, except with regard to issuers of long term care
The final rule is effective on March 26, 2013; the compliance
date is 180 days thereafter (September 22, 2013). Covered entities
and business associates will have up to one year after the 180-day
compliance date to modify contracts in order to comply with the new
To view Foley Hoag's Security, Privacy and The Law
Blog please click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The U.S. Department of Justice (DOJ), Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit recently issued a comprehensive list of Best Practices for Victim Response and Reporting of Cyber Incidents.
In April 2015, the Department of Health and Human Services' Office for Civil Rights issued two "frequently asked questions" providing guidance on workplace wellness programs under the HIPAA Privacy, Security, and Breach Notification rules.
With all of the privacy and data security enforcement
actions brought by the Federal Trade
Commission in recent years, and with all of the
guidance distributed by the FTC in that time frame, it is
easy to get caught up in making sure your privacy and
data security practices are in order and compliant ...