HIPAA Final Rule 2013-Background

Posted on January 20, 2013 by Vijayashankar Na

HIPAA Privacy and Security rules are covered under

1. The HIPAA Privacy Rule, (45 CFR Part 160 and Subparts A and E of Part 164,)

2. The HIPAA Security Rule,( 45 CFR Part 160 and Subparts A and C of Part 164,)

3. The HIPAA Enforcement Rule,( 45 CFR Part 160, Subparts C – E)

Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted on February 17,2009, as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111-5, modifies certain provisions of the Social Security Act pertaining to the HIPAA Rules, as well as requires certain modifications to the Rules themselves, to strengthen HIPAA privacy, security, and enforcement.

The HITECH Act also provides new requirements for notification of breaches of unsecured protected health information by covered entities and business associates.

In addition, the Genetic Information Nondiscrimination Act of 2008 (GINA) calls for changes to the HIPAA Privacy Rule to strengthen privacy protections for genetic information. This final rule implements the modifications required by GINA, as well as most of the privacy, security, and enforcement provisions of the HITECH Act. This final rule also includes certain other modifications to the HIPAA Rules to improve their workability and effectiveness.

Some of the proposed, and now final, changes are necessitated by the statutory changes made by the HITECH Act and GINA, while others are of a technical or conforming nature.

Naavi

Posted in HIPAA, Uncategorized | Leave a comment

HIPAA Final Rules 2013- An Omnibus Rule

Posted on January 20, 2013 by Vijayashankar Na

The HIPAA Final Rules announced with effect from 26th March 2012 comprises of four final rules. Hence it is being referred as the “Omnibus Final Rule”.

They are,

1.Final Modifications with improvements to the proposed rule of July 14, 2010 under HITECH Act. They are

a) Make Business Associates directly liable for compliance with relevant parts of the Privacy and Security rule
b)Strengthen the limitations on the use and disclosure of PHI for marketing
c) Expand individual’s right to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
d)Require modifications to and redistribution of a covered entity’s notice on privacy practices
e)Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to descendent information by family members or others
f) Adopt the additional HITECH Act enhancements to the enforcement rule not previously adopted in the October 30, 2009 interim final rule such as non compliance due to wilful neglect.

2. Final Rule adopting changes to HIPAA Enforcement rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
3. Final rule on Breach Notification for Unsecured PHI
4.Final Rule modifying the HIPAA Privacy Rule as required by the Genetic Information Non Discrimination Act (GINA)

Naavi

Posted in HIPAA, Uncategorized | Leave a comment

Privacy Rule under HIPAA-HITECH Act expanded

Posted on January 18, 2013 by Vijayashankar Na

HHS, the department of Health and Human Resources has revised the Privacy and Secuirty Rule and broadened its reach particularly for the Business Associates.

Since many Indian entities work as Business Associates of HIPAA covered entities this development is of relevance to their activities. Related report : Press Release

The directions will be effective from March 26, 2013. Compliance deadline is 180 days from this date, which will be 23rd September 2013.

The rule

a) clarifies when breaches of information must be reported to the Office for Civil Rights,

b) sets new rules on the use of patient-identifiable information for marketing and fundraising, and

c) expands direct liability under the law to the “business associates” of hospitals and physicians and other “HIPAA-covered entities.”Those associates might include a provider’s healthcare data-miners and health information technology service providers.

d) It also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.

These changes will be incorporated with immediate effect in the forthcoming HIPAA-HITECH Act audits conducted by Naavi and Ujvala Consultants Private Limited.

Naavi

Posted in HIPAA, Privacy, Uncategorized | Leave a comment

Aaron Swartz is a victim of Bad application of law

Posted on January 17, 2013 by Vijayashankar Na

Aaron Swartz, the young techie who committed suicide on the 11th of Januaru represents a tragedy that could have been prevented if the Police had been more reasonable.
Swartz was deeply involved in the campaign against “Stop Online Piracy Act” (SOPA) which was seen as an act that would have made it easy for the US Government to shut down sites for copyright violations and in the process would have curbed some of the fundamental rights associated with the early concept of Internet as a vehicle of free information.

Swartz was being prosecuted for unauthorized downloading of material from JSTOR data base which he felt was a fight against the inappropriate use of Copyright law where publishers got more benefit than authors. See here for details

It is alleged that the US prosecutors tried to demand higher punishments by invoking Computer Fraud and Abuse Act and thereby trying to enhance the possible punishment from around 6 months to 35 years.

In the tech circles, Swartz is seen as a crusader who lost his life because of bad implementation of law.

For a long time the untimely death of Aaron Swartz will continue to disturb internet activists.

Naavi

Posted in Netizen's Forum, Uncategorized | Leave a comment

Need for Netizen’s Forum

Posted on January 17, 2013 by Vijayashankar Na

It is being increasingly observed in India that the Cyber Law space is in need of a major overhaul. Cyber Crimes are increasing and the Government machinery as well as the Police are acting dangerously showing apathy for genuine victims and aggression for political opponents.

ITA 2008 has bestowed enormous powers on the Police and if a tendency develops int he police to misuse them then there would be danger for the society.

Our Human Rights Organizations are incapable of understanding the requirements of Netizens, protecting their rights and preventing their unfair victimization.

Examples of Government apathy is evident in the Government of India remaining silent on the appointment of chair person for the Cyber Appellate Tribunal in Delhi. In Karnataka apathy of the Government is evident from the action of the earlier Adjudicator who has kept the service out of reach of cyber crime victims in Karnataka with a tainted decision and the new administration remaining silent.

Examples of Police atrocities is raising. Honest Small business owners in Internet space are in danger of being harassed by excessive use of force

There is a need for change in some of the laws to make them more effective without being repressive.

Naavi.org has been a spokes person for such issues on cyber space for nearly 15 years. But the anti netizen forces have now become so strong that unless a larger movement of netizens takes up the responsibility for fighting for netizen’s rights, the future of Cyber space dwellers from India looks bleak.

Naavi.org therefore proposes setting up of an All India Netizen’s Forum with the sole objective of being a representative body of Netizens which can take up issues of importance to the Netizens with the appropriate authorities from time to time.

Initially, Naavi.org will be the base and an attempt to build a critical mass of Netizens into this forum will be started. If sufficient support is received, the movement will be taken forward.

The outline of what this “All India Forum of Netizens” (AIFON) is expected to do will be presented through this site.

I look forward to support from all like minded persons for this initiative.

Naavi

Posted in Netizen's Forum | Leave a comment

Domain Registrars under threat of arrest across India

Posted on January 17, 2013 by Vijayashankar Na

Across India a wave of fear is spreading amongst Domain Name registrars that they may be arrested by the local police. The fear psychosis has been created by  the news item that in Noida, Police have arrested the domain registrar who had provided links to  of 36 websites on which pornographic content was uploaded. (See report in TOI: Report in HT)

Though there might have been a justification for penal action against the owners of pornographic sites and also for indirect action against the intermediaries who facilitated the crime, the action of “Arresting” the domain name registrars appear to be an excessive reaction by the Police. This follows the trend where Police appear to be using Cyber Laws as the new weapon of aggression against the society.

So far, we were only worried of politicians misusing the arrest provisions through the subservient police as in the case of Pondicherry and Palghar  But now we have the incidence of Police getting intoxicated with the arbitrary power of arrest. Every law provides for such powers as an enabling provision so that the law enforcement does not feel deprived of powers when there is a need to exercise them. But if Police think it is a license to harass public, then it is time to curb the powers of the police. After all “Arrest” is not a “Right” of the police. It is meant to be resorted to only as an extreme measure to deter an accuse from getting away. While the police deliberately let some criminals to get away some time while in custody or while on parole, their penchant for arresting ordinary persons is revolting.

While Naavi.org supports police action against companies who run their business solely for the purpose of committing crimes such as the recent report on BPO for Financial scam  indicated,  we strongly oppose using arrest of business executives such as domain registrars .

It is necessary that such  attitude of the police is resisted by the society. I therefore call for Noida police to offer a public explanation on why the arrest in this case was found necessary.

Simultaneously this is time for Netizens to think of how to protect themselves from the police atrocities in cyber space.

Naavi

Posted in Cyber Crime, Cyber Law, Information Assurance, Uncategorized | 1 Comment