The major part of the new regulations restrain the sale of protected health information and the use of it for marketing and fund-raising purposes, the release states.
The current standard will also be applied to how to determine what qualifies as a breach of unsecured protected health information by a health plan or a business associate. Under the new rules a breach will be presumed to have occurred unless the health plan or business associate demonstrates that there is a low probability that the protected health information has been compromised, according to the statement.
Health plans no longer need to place business associates under contract to maintain the confidentiality of the plan’s protected health information. HIPAA’s privacy and data security rules now directly apply to business associates, as do the law’s civil and criminal penalties, the release explains.
Formal risk assessment is required for each potential breach according to new release. If a breach is found to have occurred, according to the statement, the offending health plan is required to notify each affected individual within 60 days of the discovery of the breach.