The Department of Health & Human Services released much-anticipated new rules January 17, which continue to tighten data security obligations for most companies. Specifically, HHS has modified existing Regulations (45 CFR Parts 160 and 164) under the Health Insurance Portability and Accountability Act of 1996 (commonly referred to as "HIPAA"). The final rule will become effective on March 26, 2013, with a final compliance date of September 23, 2013.
Your McCarter attorney is available to provide information specific to your business. In the meantime, all HIPAA-regulated entities should be aware that the new rules will:
· Change the requirements of what must be contained in a company's Notice of Privacy Practices.
· Expressly shift subcontractor liability to Business Associates.
· Apply the HIPAA Security Rule and Privacy Rule directly to Business Associates.
· Clarify, and in certain ways simplify, standards for obtaining authorization for secondary research.
· Clarify that HIPAA's data security regulations require Covered Entities and Business Associates to review and update their security measures.
· Prevent disclosure of genetic information for health insurance underwriting.
· Permit disclosure of immunization records to schools in certain cases without specific written authorization.
Please do not hesitate to contact Rich Green rgreen@mccarter.com 860.275.6757 with questions regarding these new rules.
