The Final Omnibus HIPAA/HITECH Rule
The final rule address multiple privacy issues related to uses and disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient’s care or payment for care, and disclosures of student immunization records.
HIPAA defines PHI information if it contains the following information about the patient, the patient’s household members, or the patient’s employers: names, birthdates, dates of medical treatment, discharge dates, telephone numbers, addresses, Social Security numbers, medical record number, photographs, x rays and any other unique identifying forms.
This rule currently applies directly to business associates and their subcontractors. The Final Rule defines a Subcontractor as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” The Final Rule also changes the definition of a Business Associate to now include a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” Accordingly, a Subcontractor is directly obligated to comply with the requirements of HIPAA and HITECH, including the HIPAA Security Rule and the breach notification obligations, in the same manner as a Business Associate.
HIPAA requires the following to comply:
- Health Care Providers (preventative, diagnostic, therapeutic, rehabilitative, palliative care and counseling services, assessment, or procedure with respect to the physical or mental condition or functional status of an individual.
- Health Care Clearinghouse Businesses that process or facilitate the processing of health information received from other businesses. It includes groups such as physician and hospital billing services.
- Health Plans: Individuals or group plans that provide or pay the cost of medical care and includes both Medicare and Medicaid programs.
Gramm-Leach Bliley Act (GLB)
A federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
GLBA defines financial institutions as: “companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance”. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:
- Non-bank mortgage lenders
- Real estate appraisers
- Loan brokers
- Debt collectors
- Real estate settlement service providers
- A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer’s nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.
FATCA Disposal Rule
As part of the ongoing federal effort to combat identify theft and other forms of consumer fraud, Congress in 2003 passed FACTA. Pursuant to the mandate in section 216 of the Act, and after consultation with Federal banking agencies, the National Credit Union Association, and the Securities and Exchange Commission, the FTC elected to adopt a new rule implementing the disposal requirements of the Act.
Given that every business that touches “consumer information” will soon be under a duty to dispose of that information properly, a key question concerns what constitutes disposal. Of course, routine destruction of the records or information would be included, but the rule also includes “abandonment of consumer information” and “the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.” 16 C.F.R. § 682.1(c). Thus, businesses must be concerned not only with routine document retention and destruction policies and procedures covering consumer information, but also policies and procedures related to the transfer, donation, or other disposition of computer equipment and other media on which consumer information may be located.
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act was enacted in response to a series of high-profile financial scandals that occurred in the early 2000s at companies including Enron, WorldCom and Tyco that rattled investor confidence. The act, drafted by U.S. Congressmen Paul Sarbanes and Michael Oxley, was aimed at improving corporate governance and accountability. Now, all public companies must comply with SOX.
PLEASE NOTE THAT LEGAL CONSULE MUST BE CONTACTED FOR CLARIFICATION OF ALL FEDERAL, STATE, AND GOVERNMENT REGULATIONS, LAWS AND RULES. NORTHEAST DATA DESTRUCTION AND MILLER RECYCLING ASSUME NO LIABILITY FOR THE ABOVE INFORMATION. THESE ARE INTENDED FOR GUIDELINE PURPOSES ONLY.