Topic: Privacy Law
The final Department of Health and Human Services (HHS) regulations on the Health Insurance Portability and Accountability Act (HIPAA) become effective on March 26. The regulations represent the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.
The new regulations include a variety of concepts which will be of general interest to benefit plan sponsors:
- Privacy notice updates. The final regulations require several updates to the privacy notice required under the HIPAA privacy rule.
- Business associates. The new regulations change HIPAA rules by (1) expanding the definition of a business associate to include subcontractors and (2) altering what business associate agreements must contain.
- Breach notification requirements. The final regulations provide that an acquisition, access, use, or disclosure of protected health information (PHI) in an impermissible manner is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that PHI has been compromised based on a risk assessment of at least four factors set out in the regulations. These are:
- The nature and extent of the PHI involved, including the nature and extent of the identifiers involved and the likelihood that the data could be reidentified;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
The regulations make other changes as well. For instance, they increase penalties for noncompliance with HIPAA rules and expand individuals’ rights in several ways (e.g., by allowing patients to ask for an electronic copy of their medical records and setting new limits on how individuals’ information is used and disclosed for fundraising and marketing reasons).
If you have any questions about these new regulations or their impact on your organization, contact:
Jacob M. Sitman (610) 797-9000, ext. 383
Kathleen M. Mills (610) 797-9000, ext. 308
This blog post has been prepared and published for informational purposes only. None of its content should be construed as or relied upon as legal advice. Therefore, no one should act or refrain from acting based on its content. The content is not a substitute for competent legal advice. For legal advice or answers to specific questions, please contact one of our attorneys. Information provided by our attorneys should only be considered legal advice after a formal attorney-client relationship has been established with our law firm and you and confirmed in writing by one of our attorneys.The final Department of Health and Human Services (HHS) regulations on the Health Insurance Portability and Accountability Act (HIPAA) become effective on March 26. The regulations represent the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.