ASA is currently analyzing the entire 563 page rule. Some areas of preliminary interest include:
Adoption of a default presumption that an impermissible use or disclosure is a data breach unless it can be determined through a risk assessment that there is a low probability that data may be compromised (under HITECH breach notification requirements).
Implementation of the HIPAA language related to the expansion of privacy & security obligations to business associates.
Strengthens the government’s enforcement authority.
Requires updates to the notice of privacy practices.