HIPAA Final Rule 2013-Definitions

Posted on January 20, 2013 by Vijayashankar Na

The HIPAA final rule 2013 made effective from March 26, 2013 makes a few important changes in the definitions.

Firstly, the definition of “Business Associate” has been expanded to include “Patient Safety Organizations”.  Hence Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records will be considered as “Business Associates” and such Business Associates will be directly covered under the obligations of Privacy, Security and Enforcement rules.

Secondly, any “Sub Contractor” of the business associate will also be considered as covered under the provisions of the Final rule as applicable for Privacy, Security and Enforcement. For this purpose, a Sub Contractor means “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”. Hence the provision of obtaining satisfactory assurances for meeting HIPAA obligations extend to Sub Contractors as much as the primary business associates.

The third definitional aspect that is modified by the Final rule is to define that the ter “PHI” extends to the information of a deceased person upto a period of 50 years after death.

Naavi

Posted in HIPAA | Leave a comment

HIPAA Final Rule 2013-Background

Posted on January 20, 2013 by Vijayashankar Na

HIPAA Privacy and Security rules are covered under

1. The HIPAA Privacy Rule, (45 CFR Part 160 and Subparts A and E of Part 164,)

2. The HIPAA Security Rule,( 45 CFR Part 160 and Subparts A and C of Part 164,)

3. The HIPAA Enforcement Rule,( 45 CFR Part 160, Subparts C – E)

Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted on February 17,2009, as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111-5, modifies certain provisions of the Social Security Act pertaining to the HIPAA Rules, as well as requires certain modifications to the Rules themselves, to strengthen HIPAA privacy, security, and enforcement.

The HITECH Act also provides new requirements for notification of breaches of unsecured protected health information by covered entities and business associates.

In addition, the Genetic Information Nondiscrimination Act of 2008 (GINA) calls for changes to the HIPAA Privacy Rule to strengthen privacy protections for genetic information. This final rule implements the modifications required by GINA, as well as most of the privacy, security, and enforcement provisions of the HITECH Act. This final rule also includes certain other modifications to the HIPAA Rules to improve their workability and effectiveness.

Some of the proposed, and now final, changes are necessitated by the statutory changes made by the HITECH Act and GINA, while others are of a technical or conforming nature.

Naavi

Posted in HIPAA, Uncategorized | Leave a comment

HIPAA Final Rules 2013- An Omnibus Rule

Posted on January 20, 2013 by Vijayashankar Na

The HIPAA Final Rules announced with effect from 26th March 2012 comprises of four final rules. Hence it is being referred as the “Omnibus Final Rule”.

They are,

1.Final Modifications with improvements to the proposed rule of July 14, 2010 under HITECH Act. They are

a) Make Business Associates directly liable for compliance with relevant parts of the Privacy and Security rule
b)Strengthen the limitations on the use and disclosure of PHI for marketing
c) Expand individual’s right to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
d)Require modifications to and redistribution of a covered entity’s notice on privacy practices
e)Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to descendent information by family members or others
f) Adopt the additional HITECH Act enhancements to the enforcement rule not previously adopted in the October 30, 2009 interim final rule such as non compliance due to wilful neglect.

2. Final Rule adopting changes to HIPAA Enforcement rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
3. Final rule on Breach Notification for Unsecured PHI
4.Final Rule modifying the HIPAA Privacy Rule as required by the Genetic Information Non Discrimination Act (GINA)

Naavi

Posted in HIPAA, Uncategorized | Leave a comment

Privacy Rule under HIPAA-HITECH Act expanded

Posted on January 18, 2013 by Vijayashankar Na

HHS, the department of Health and Human Resources has revised the Privacy and Secuirty Rule and broadened its reach particularly for the Business Associates.

Since many Indian entities work as Business Associates of HIPAA covered entities this development is of relevance to their activities. Related report : Press Release

The directions will be effective from March 26, 2013. Compliance deadline is 180 days from this date, which will be 23rd September 2013.

The rule

a) clarifies when breaches of information must be reported to the Office for Civil Rights,

b) sets new rules on the use of patient-identifiable information for marketing and fundraising, and

c) expands direct liability under the law to the “business associates” of hospitals and physicians and other “HIPAA-covered entities.”Those associates might include a provider’s healthcare data-miners and health information technology service providers.

d) It also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.

These changes will be incorporated with immediate effect in the forthcoming HIPAA-HITECH Act audits conducted by Naavi and Ujvala Consultants Private Limited.

Naavi

Posted in HIPAA, Privacy, Uncategorized | Leave a comment

Aaron Swartz is a victim of Bad application of law

Posted on January 17, 2013 by Vijayashankar Na

Aaron Swartz, the young techie who committed suicide on the 11th of Januaru represents a tragedy that could have been prevented if the Police had been more reasonable.
Swartz was deeply involved in the campaign against “Stop Online Piracy Act” (SOPA) which was seen as an act that would have made it easy for the US Government to shut down sites for copyright violations and in the process would have curbed some of the fundamental rights associated with the early concept of Internet as a vehicle of free information.

Swartz was being prosecuted for unauthorized downloading of material from JSTOR data base which he felt was a fight against the inappropriate use of Copyright law where publishers got more benefit than authors. See here for details

It is alleged that the US prosecutors tried to demand higher punishments by invoking Computer Fraud and Abuse Act and thereby trying to enhance the possible punishment from around 6 months to 35 years.

In the tech circles, Swartz is seen as a crusader who lost his life because of bad implementation of law.

For a long time the untimely death of Aaron Swartz will continue to disturb internet activists.

Naavi

Posted in Netizen's Forum, Uncategorized | Leave a comment

Need for Netizen’s Forum

Posted on January 17, 2013 by Vijayashankar Na

It is being increasingly observed in India that the Cyber Law space is in need of a major overhaul. Cyber Crimes are increasing and the Government machinery as well as the Police are acting dangerously showing apathy for genuine victims and aggression for political opponents.

ITA 2008 has bestowed enormous powers on the Police and if a tendency develops int he police to misuse them then there would be danger for the society.

Our Human Rights Organizations are incapable of understanding the requirements of Netizens, protecting their rights and preventing their unfair victimization.

Examples of Government apathy is evident in the Government of India remaining silent on the appointment of chair person for the Cyber Appellate Tribunal in Delhi. In Karnataka apathy of the Government is evident from the action of the earlier Adjudicator who has kept the service out of reach of cyber crime victims in Karnataka with a tainted decision and the new administration remaining silent.

Examples of Police atrocities is raising. Honest Small business owners in Internet space are in danger of being harassed by excessive use of force

There is a need for change in some of the laws to make them more effective without being repressive.

Naavi.org has been a spokes person for such issues on cyber space for nearly 15 years. But the anti netizen forces have now become so strong that unless a larger movement of netizens takes up the responsibility for fighting for netizen’s rights, the future of Cyber space dwellers from India looks bleak.

Naavi.org therefore proposes setting up of an All India Netizen’s Forum with the sole objective of being a representative body of Netizens which can take up issues of importance to the Netizens with the appropriate authorities from time to time.

Initially, Naavi.org will be the base and an attempt to build a critical mass of Netizens into this forum will be started. If sufficient support is received, the movement will be taken forward.

The outline of what this “All India Forum of Netizens” (AIFON) is expected to do will be presented through this site.

I look forward to support from all like minded persons for this initiative.

Naavi

Posted in Netizen's Forum | Leave a comment