HHS, the department of Health and Human Resources has revised the Privacy and Secuirty Rule and broadened its reach particularly for the Business Associates.
Since many Indian entities work as Business Associates of HIPAA covered entities this development is of relevance to their activities. Related report : Press Release
The directions will be effective from March 26, 2013. Compliance deadline is 180 days from this date, which will be 23rd September 2013.
The rule
a) clarifies when breaches of information must be reported to the Office for Civil Rights,
b) sets new rules on the use of patient-identifiable information for marketing and fundraising, and
c) expands direct liability under the law to the “business associates” of hospitals and physicians and other “HIPAA-covered entities.”Those associates might include a provider’s healthcare data-miners and health information technology service providers.
d) It also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.
These changes will be incorporated with immediate effect in the forthcoming HIPAA-HITECH Act audits conducted by Naavi and Ujvala Consultants Private Limited.
Naavi