So, you are a covered entity
, and you finally feel like you have a grasp on how to navigate NY Reg.
scope of what is considered a covered entity
. The Note will discuss the
This sometimes includes the requirement that the provider obtain the patient's express authorization to use or share the data, even if the disclosure would otherwise have met the TPO exception.<br />For example, if the covered entity
receives payment for sharing or using the data, that disclosure no longer meets the TPO exception (e.g., a third-party vendor wants to pay the provider to send an email blast to a select group of the provider's patients).
(53) In comparison to the breach notification statutes, NYDFS' breach prevention regulations instead require notice to the NYDFS superintendent within seventy-two hours if there is "a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity
." (54) Just as California was the first state to impose data breach notification legislation, (55) acting as the catalyst for national uniformity, New York could be the flagship for more stringent, uniform data breach prevention regulations.
Standards that are "addressable" provide some flexibility to covered entities in that if the covered entity
decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.
Business associates are any organizations that provide services or products to the covered entity
, as indicated by the parameters of a BAA between the two parties.
By this date, each covered entity
will be required to complete its first required risk assessment under written policies and procedures, and document its findings.
Any covered entity
or business associate that inappropriately shares PHI is in big trouble and has breached the law.
(b) Authorized User means any employee, contractor, agent or other Person that participates in the business operations of a Covered Entity
and is authorized to access and use any Information Systems and data of the Covered Entity
A covered entity
may disclose PHI without authorization for the following purposes:
If a covered entity
or business associate stores protected health information on a cloud-based service without getting a business associate agreement from the provider, that could lead to HIPAA violation fines, officials say.