Compensation Discussion & Analysis
Richard M. Steinberg
The final omnibus rule, under review by the Office of Management and Budget since March, is based on statutory changes to the HITECH Act and Genetic Information Nondiscrimination Act of 2008. A recent Compliance Week story on concerns over the delayed issuance can be found here.
Reports
Long-delayed and eagerly awaited, the Department of Health and Human Services on Thursday released revised privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Subhipaa laws New Healthcare Privacy and Security Rules Finally Emergescribe
Bylaws & Policies
Sponsored by Schulte Roth & Zabel

Boards and Committees
Enterprise Risk Management
International,Free insurance info. Global Issues
Majority Voting, Proxy Issues
An item of concern leading up to yesterdays announcement was how the final rule would tackle notifications (to both individuals and HHS) following a breach of unsecured health information and whether a threshold of significant risk of harm to an individual would trigger such notifications. HHS added such a threshold in its proposed rule, even though Congress had expressly voted not to do so.
Sponsored by Financial Research
Scuttlebutt
Internal Controls
Scott Taub
Electronic Discovery and the Revised FRCP
Permissions
Help
Newsletters
GRC Announcements
Advertise
Jos Tabuena
Executive Compensation
Additional Columnists
Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
Bruce Carton on Enforcement
About Us
Compliance and Technology
Sitemap
Whistleblowing & Hotlines

Robert Herz
Complimentary Webcast: Beyond the First 48 Hours: From Crisis Response to Long-Term Business Continuity Management
Internal Control Over Financial Reporting
Shareholders & Institutions
The final rule retains the essence of that view, but does so after removing the harm standard and modifying risk assessment demands to focus more objectively on the risk that protected health information has been compromised. It clarifies that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability of such a compromise. The rule also identifies the objective ctors covered entities and business associates must consider when performing a risk assessment.
Editorial Calendar
Accounting and Auditing
Joseph McCafferty on Boards & Governance
Tammy Whitehouse on Accounting
On-Demand Webcasts from IBM: The Basel III Burden & The Challenges of Solvency II Pillars 2 and 3
An example is used in the rule to explain the distinction between who does, or doesnt, meet these distinctions.An entity hired by a business associate to appropriately dispose of documents that contain protected health information is also a business associate and subject to the applicable provisions of the HIPAA rules. If the documents to be shredded do not contain protected health information, then the entity is not a business associate.
Management Discussion & Analysis
Reprints
Case Studies in Compliance
Compliance Week now has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day. Open to all compliance professionals, free to join.
The HFBOA Annual Meeting: Optimizing Hedge Fund Business Operations
Stock Option Expensing
Louis M. Thompson
Ethics & Codes
FASB and Financial Accounting Standards
Sponsored by PwC
Sponsored by IBM
Compliance Week >Blogs >The Filing Cabinet > New Healthcare Privacy and Security Rules Finally Emerge
Whistleblower Guidelines
Bruce Carton
Ramping Up Conflict Minerals Rule Compliance A Near-Term Checklist for Public and Private Companies
Joe Mont on Securities Regulation
Codes of Business Conduct


Enforcement & Litigation

Testimonials
Auditor Changes
Every week we chat with leading thinkers in compliance, auditing, risk management, public policy and more. These short (10-15 minutes) interviews are free to all. Follow Compliance Week podcasts on iTunes.
The McNulty Memo and Penalty Guidelines

Corporate Charters
The Foreign Corrupt Practices Act
The final rule is effective on March 26, 2013. Covered entities and business associates will have 180 days beyond the effective date of the final rule to come into compliance with most provisions, including the modifications pertaining to breach notifications.
Sustainability and CSR
The package of HIPAA enhancements expands many existing requirements to business associates of healthcare entities that receive protected health information. The final rule defines business associate as a person who performs services for a covered entity that involve the use or disclosure of protected health information. The new definition adds patient safety activities to the activities that define a business associate relationship, as well as health information organizations, e-prescribing gateways, and vendors of personal health records. It also extends business associate provisions of HIPAA rules to subcontractors that create, receive, maintains, or transmit protected health information on behalf of a business associate.
Contact Us
Matt Kelly on the Big Picture
Davis and Lukomnik
A cost-benefit analysis included with the rule estimates the total cost of compliance to be between $114 million and $225 million in the first year of implementation, and approximately $14.5 million annually. These costs are projected to include $55.9 million for notices of privacy practices required of approximately 700,000 covered entities, $14.5 million for breach notification requirements for 19,000 entities, between $21 million to $42 million for business associate agreements, and security rule compliance costs as high as $113 million.
In the proposed rule, HHS explained that a harm standard would align the rule with many state breach notification laws. In addition, the standard was intended to ensure that consumers were not flooded with breach notifications for inconsequential events,legal advice online. which could cause unnecessary anxiety and eventual apathy among consumers, it said.