ABA Privacy and Data Security Update May 14, 2013

Similar documents
Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

Model Business Associate Agreement

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

Secretary of the Senate Office of Public Records 232 Hart Building Washington, DC 20510

National Conference of State Legislatures Legislative Summit

COLORADO HB PROTECTIONS FOR CONSUMER DATA PRIVACY

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Intro/Background/Disclaimers Goals/Objectives Perspective: to give you an idea how fast the law is changing in these areas, you need look no further

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

HIPAA Compliance During Litigation and Discovery

E-HEALTH (PERSONAL HEALTH INFORMATION ACCESS AND PROTECTION OF PRIVACY) ACT

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

32000D0520. Official Journal L 215, 25/08/2000 P

Secretary of the Senate Office of Public Records 232 Hart Building Washington, DC 20510

Current Developments in Privacy and Security Rule Enforcement

BUSINESS ASSOCIATE AGREEMENT

FDA REFORM LEGISLATION Its Effect on Animal Drugs TABLE OF CONTENTS

Privacy Legislation in the 115 th Congress

Federal Information Technology Supply Chain Risk Management Improvement Act of 2018 A BILL

HIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Sales Order (Processing Services)

NON-DISCLOSURE AGREEMENT

Secretary of the Senate. Chief Clerk of the Assembly. Private Secretary of the Governor

Health Information Technology Provisions in the Recovery Act

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Privacy Act of 1974, as Amended; Computer Matching Program (Social Security

CHAPTER 44 HOUSE BILL 2434 AN ACT

ARTICLE 29 DATA PROTECTION WORKING PARTY

A guide to the new privacy landscape for the Commonwealth Government

Annex 1: Standard Contractual Clauses (processors)

H.R./S. In the A BILL. To protect the privacy of personal information of consumers, the promotion

Marine Renewable-energy Act

The Congressional Review Act and the Leveraged Lending Guidance. Questions and Answers. May 23, 2017

Security Breach Notification Chart

DATA MATCHING AGREEMENTS ACT 1 B I L L

Telekom Austria Group Standard Data Processing Agreement

Missouri Right to Life 2010 Key Votes Explanation Page Vote Numbers Coincide w/2010 General Assembly Scorecards

Case 2:17-cv MCE-KJN Document 22 Filed 02/26/18 Page 1 of 6 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF CALIFORNIA

Omnibus Appropriations Acts: Overview of Recent Practices

Implications of changes to the Privacy Act 1988 for the market and social research industry

RESOLUTION AGREEMENT. I. Recitals

Investigating Privacy Breaches under HITECH and HIPAA

H.R. XX (Huffman, D-CA) The Public Lands Telecommunications Act HR XX (Eshoo, D-CA) Community Broadband Act of 2016

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

OTrack Data Processing Terms

BUSINESS ASSOCIATE AGREEMENT

ARTICLE 29 Data Protection Working Party

IEEE-USA Policy Activities and 2013 Legislative Overview

Government Data Practices Law Survey Legislative Commission on Data Practices December 22, House Research Department

Formal Dispute Resolution: Appeals Above the Division Level Guidance for Industry and Review Staff

Asian Privacy Certification

Security Breach Notification Chart

PREEMPTION AND THE PHYSICIAN PAYMENTS SUNSHINE ACT TOPICS. Overview of Preemption. Recent Developments. Consequences and Strategies

Legislative Update: Pediatricians in the 85 th Session. September 17, 2016

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

The Legal Workforce Act 1 Section-by-Section

Environmental Planning and Assessment Amendment (Infrastructure and Other Planning Reform) Act 2005 No 43

DATA PROTECTION LAWS OF THE WORLD. South Korea

Limited Data Set Data Use Agreement

Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015

SAFE HARBOR: STAYING ALIVE?

HOUSE BILL No AN ACT concerning health care; enacting the health care compact.

SENATE BILL By Hensley BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF TENNESSEE:

Fact sheet: Changing, cancelling and extending development approvals

Legislative & Regulatory Update

Record Retention Program Overview

DATA SHARING AGREEMENT

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

CONFERENCE COMMITTEE REPORT BRIEF HOUSE BILL NO. 2054

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

MAKING CONNECTIONS: GOVERNMENTAL AFFAIRS & THE RISK MANAGEMENT. St. Louis RIMS Chapter Meeting Greg McKenna January 9, 2019

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Bill C-58: An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts

Security Breach Notification Chart

ALBERTA HEALTH AND WELLNESS DRUG BENEFIT LIST. AHWDBL - Updated Price Policy Effective May 17, 2012

Omnibus Appropriations Acts: Overview of Recent Practices

Security Breach Notification Chart

Vol. 3 No. 1 July 2012

ICONS Terms of Use. Effective Date: March 1st, 2016

Technical Corrections to the HIPAA Privacy, Security, and Enforcement Rules. AGENCY: Office for Civil Rights, Department of Health and Human Services.

THE 2014 ELECTION PRESENTATION BY JIM JENSEN EXECUTIVE DIRECTOR CONGRESSIONAL AND GOVERNMENT AFFAIRS

Transitional Relief. The Data Protection (Bailiwick of Guernsey) Law, 2017 came into force on 25 May You can find a copy of the Law here.

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Pharmacy Law Update. Brian E. Dickerson. Partner FisherBroyles, LLP Attorneys at Law

HIPAA DATA USE AGREEMENT

Immigration Law Briefing for Parents

PRESCRIPTION MONITORING PROGRAM MODEL ACT 2010 Revision

by Geoffrey K. Beach, Peter J. Biersteker. and David T. Miller

A Bill Regular Session, 2019 HOUSE BILL 1070

LEGISLATIVE UPDATE. Prepared for OAFP. March 24, 2019

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Enrolled. Senate Bill 90

1/29/2016. Maryland Pharmacists Association Mid-Year Meeting Legislative Update

Omnibus Appropriations Acts: Overview of Recent Practices

Transcription:

ABA Privacy and Data Security Update May 14, 2013 David Keating Paul Martino Kim Peretti Bruce Sarkisian

Overview Cybersecurity Legislative Developments Health Privacy Privacy and Technology International

Cybersecurity Update

Understanding the threat From exploitation to disruption to destruction

DDOS Attacks - disruption

North Korea - destruction

Protecting against the threat Government response

Executive Order

EO process developments Framework development NIST RFI, responses, workshops Other areas of private sector input Integrated task force SSAs and Councils CIPAC Government tasks/timetable List of greatest risk critical infrastructure Incentives

Data Breach Update Investigations, regulatory inquires, litigation

Investigations

Breaches, Regulator Inquiries

Privacy class actions

Legislative Developments in Cybersecurity, Data Security & Privacy

Cybersecurity Legislation

U.S. House of Representatives Passes CISPA

Other Cybersecurity Legislation in House: Rep. Blackburn Introduces SECURE IT Act Rep. Marsha Blackburn (R-TN), Vice Chair of House Energy & Commerce Cmte. Introduces H.R. 1468, The SECURE IT Act of 2013, on April 10, 2013 Text largely based on Senate Republican cybersecurity legislation of 2012 Also includes a data security title based on Sen. Toomey s data security and breach notification bill from last Congress (S. 3333 in the 112 th Congress)

State Privacy Legislation More States Enact Laws to Restrict Employer Access to Social Media Accounts: Arkansas Enacts H.B. 1901 and 1902; both signed by Governor in April 2013 Colorado Legislature Passes H.B. 1046 in April 2013; sent to Governor on May 1, 2013 New Mexico Enacts S.B. 371 and S.B. 422; both signed by Governor in April 2013 Washington Legislature Passes S.B. 5211; sent to Governor on April 28, 2013 California Assembly Cancels its April Hearing on a Bill to Amend Cal-OPPA:

HIPAA/HITECH Act Omnibus Final Rule Developments Since March

Rule Publication/Effective Date The Office of Civil Rights of the U.S. Department of Health and Human Services published the Omnibus Final Rule on January 25, 2013. The Omnibus Final Rule will became effective on March 26, 2013, and requires compliance 180 days later, on September 23, 2013.

New Statements Required In Notice of Privacy Practices (NPPs) The Omnibus Rule modified the Privacy Rule to require the addition of several statements: Where applicable, a statement indicating that most uses and disclosures of psychotherapy notes require authorization. A statement indicating uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require authorization. A statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual. If the covered entity intends to contact the individual for fundraising purposes, the NPP must include a statement informing the individual of the potential contact as well as the individual s right to opt out of receiving fundraising communications. The covered entity is not required to state the mechanism for opting out of fundraising communications, but may do so. A statement informing the individual of his or her right to restrict disclosures of PHI to a health plan if the disclosure is for payment or health care operations and pertains to a health care item or service for which the individual has paid out of pocket in full. A statement explaining the right of affected individuals to be notified following a breach of unsecured PHI.

NPP Distribution Obligations for Health Plans When publishing the Final Rule, HHS confirmed that the Rule s required revisions to NPPs constitute material changes to a covered entity s NPPs. Accordingly, the material changes trigger distribution obligations. A health plan that currently posts its NPP on its website must Prominently post the material change or its revised NPP on its website by the effective date of the material change to the NPP; and Provide the revised NPP, or information about the material change and how to obtain the revised notice, in the health plan s next annual mailing to individuals covered by the plan.

NPP Distribution Obligations for Other Health Care Providers The Omnibus Rule did not revise the current distribution obligations regarding revised NPPs of health care providers who have a direct treatment relationship with an individuals. Those providers must make the NPP available upon request or after the revision s effective date, must have the NPP available at the delivery site and must post the notice in a clear and prominent location. HHS confirmed that health care providers need not hand out a revised NPP to all individuals.

The Privacy Rule s Revised Definition of Marketing The new definition of marketing encompasses all treatment and health care operations communications where the covered entity (or business associate or subcontractor) receives financial remuneration for making such communications from a third party whose product or service is being marketed and, thus, requires prior authorization from the individual. These type of communications require advance authorization from the individual. Furthermore, all subsidized treatment communications that promote a health-related product or service will be treated as marketing communications that require authorization.

Privacy Rule Marketing Considerations The only exception to the definition of marketing that permits the covered entity to receive remuneration is for refill reminders and other communications about currently prescribed drugs, but only if the remuneration received in exchange for making the communication is reasonably related to the cost of making the communication. Recently, CVS announced that it would stop using data from its prescription drug records to mail prescription refill notices to customers on behalf of pharmaceutical manufacturers. CVS cited the Omnibus Rule as the reason for the change.

Privacy Developments Children s Privacy Mobile Technologies Standards International

Privacy and Technology: Children s Online Privacy FTC Publishes FAQs for Amended COPPA Rule Duties as to newly covered information collected prior to July 1 Level of due diligence required as to thirdparty services Mobile app standards FTC votes to retain July 1 st effective date

Privacy and Technology: Mobile Device Privacy Landmark CalOPPA suit on FlyDelta app dismissed New FTC guidance on kids mobile apps Public forum on mobile devices scheduled for June 4 CNIL issues Statement on Article 29 WP Opinion on mobile apps

Privacy and Technology: NIST SP 800-53 Rev 4 First comprehensive update since 2005 Criticism Specifics: Cybersecurity hygiene Advanced Persistent Threats Mobile and cloud computing Supply chain threats

International Data Protection Status of Data Protection Regulation Art 29 Working Party Activities Secondary Processing BCRs and Processor Status Coordination with FTC DPA Activities

ABA Privacy and Data Security Update May 14, 2013 David Keating Paul Martino Kim Peretti Bruce Sarkisian

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback