Other Laws

Application of Privacy Provisions and Penalties to Business Associates of Covered Entities : HIPAA restrictions apply to a business associate to same extent as they do to a covered entity.

Limitation on Disclosure : Employers, labor organizations and others may not disclose genetic information: exceptions include written authorization; research; court order; government compliance investigations; imminent public health threats.

Treatment of Information As Part of Confidential Medical Record : If an employer, employment agency, labor organization, or joint labor-management committee possesses genetic information about an employee or member, such information shall be maintained on separate forms and in separate medical files and be treated as a confidential medical record of the employee or member.

Timeliness of notification : All breach notifications shall be sent no case later than 60 calendar days after the discovery of a breach of security. If a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security, the notification shall be delayed.

Breach notification requirement for vendors of personal health records and other non-HIPAA covered entities : After discovering a breach of security of unsecured PHR identifiable health information, the vendor of personal health records must notify affected individuals and the FTC. Third party service providers must similarly notify the vendors of security breaches.

Clarification of application of wrongful disclosures criminal penalties : Criminal penalties

Improved enforcement : Tiered increase in amount of civil penalties

Privacy and Confidentiality : Amends HIPAA to treat genetic information as health information; use or disclosure by a covered entity (group health plan, health insurance issuer, or issuer of a Medicare supplemental policy) of protected health information that is genetic information about an individual for underwriting purposes shall not be a permitted use or disclosure. A covered entity that violates the HIPAA privacy rules by use or disclosure of genetic information shall be subject to the HIPAA penalty provisions.