While we are still making our way through all 563 pages of the regulations and related
regulatory comments (and will have a more detailed analysis shortly
in this space), here are some of the highlights we (and the HHS press release) have noted so far:
Many of HIPAA's privacy and security requirements will now
directly apply to business associates;
Business associates may also be liable for the increased
penalties for noncompliance based on the level of negligence up to
a maximum penalty of $1.5 million;
Subcontractors of business associates will automatically become
business associates themselves;
HIPAA won't protect IIHI for individuals who have been
deceased for over 50 years;
The definition of breach is changed so that an impermissible
use or disclosure of protected health information is
presumed to be a breach unless the covered entity
or business associate demonstrates that there is a low probability
that the protected health information has been compromised.
Breach notification is not required if it is demonstrated
through a risk assessment that there is a low probability that the
protected health information has been compromised, rather than
demonstrate that there is no significant risk of harm to the
individual as was provided under the interim final rule.
The final rule also identifies the more objective factors
covered entities and business associates must consider when
performing a risk assessment to determine if PHI has been
compromised and breach notification is necessary.
When individuals pay for their care in cash, they can instruct
their provider not to share information about their treatment with
their health plan;
Patients can request a copy of their electronic medical record
in an electronic form;
There are new limits on how information is used and disclosed
for marketing and fund-raising purposes; in particular, the sale of
an individual's health information without permission is
An individuals' ability to authorize the use of his/her
health information for research purposes will be streamlined;
It will be easier for parents and others to give permission to
share proof of a child's immunization with a school; and
The final rule prohibits using or disclosing protected health
information that is genetic information for underwriting purposes
by all health plans that are covered entities under the HIPAA
Privacy Rule, including those to which GINA does not expressly
apply, except with regard to issuers of long term care
The final rule is effective on March 26, 2013; the compliance
date is 180 days thereafter (September 22, 2013). Covered entities
and business associates will have up to one year after the 180-day
compliance date to modify contracts in order to comply with the new
To view Foley Hoag's Security, Privacy and The Law
Blog please click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.