While we are still making our way through all 563 pages of the regulations and related
regulatory comments (and will have a more detailed analysis shortly
in this space), here are some of the highlights we (and the HHS press release) have noted so far:
Many of HIPAA's privacy and security requirements will now
directly apply to business associates;
Business associates may also be liable for the increased
penalties for noncompliance based on the level of negligence up to
a maximum penalty of $1.5 million;
Subcontractors of business associates will automatically become
business associates themselves;
HIPAA won't protect IIHI for individuals who have been
deceased for over 50 years;
The definition of breach is changed so that an impermissible
use or disclosure of protected health information is
presumed to be a breach unless the covered entity
or business associate demonstrates that there is a low probability
that the protected health information has been compromised.
Breach notification is not required if it is demonstrated
through a risk assessment that there is a low probability that the
protected health information has been compromised, rather than
demonstrate that there is no significant risk of harm to the
individual as was provided under the interim final rule.
The final rule also identifies the more objective factors
covered entities and business associates must consider when
performing a risk assessment to determine if PHI has been
compromised and breach notification is necessary.
When individuals pay for their care in cash, they can instruct
their provider not to share information about their treatment with
their health plan;
Patients can request a copy of their electronic medical record
in an electronic form;
There are new limits on how information is used and disclosed
for marketing and fund-raising purposes; in particular, the sale of
an individual's health information without permission is
An individuals' ability to authorize the use of his/her
health information for research purposes will be streamlined;
It will be easier for parents and others to give permission to
share proof of a child's immunization with a school; and
The final rule prohibits using or disclosing protected health
information that is genetic information for underwriting purposes
by all health plans that are covered entities under the HIPAA
Privacy Rule, including those to which GINA does not expressly
apply, except with regard to issuers of long term care
The final rule is effective on March 26, 2013; the compliance
date is 180 days thereafter (September 22, 2013). Covered entities
and business associates will have up to one year after the 180-day
compliance date to modify contracts in order to comply with the new
To view Foley Hoag's Security, Privacy and The Law
Blog please click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
As all aspects of business inexorably shift toward online, it is not surprising that intellectual property infringement, cybersquatting, and related internet abuses abound. Luckily, there are various procedures available by which aggrieved companies can seek relief short of litigation.
Foley Hoag will present a 60-minute webinar on Thursday, March 16 at 12:30 pm EDT offering guidance for in-house counsel regarding internet takedowns and domain name disputes, including identifying which procedures are available in which situations, along with the nuts and bolts of domain name disputes and complaint procedures on popular platforms such as Facebook, Twitter, and Yelp.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity's untimely breach notification in violation of HIPAA.
Shortly before the New Year, the United States Attorney for the Southern District of New York unsealed an indictment against three Chinese hackers who allegedly stole information from two prominent U.S. law firms.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).