{"id":14220,"date":"2013-02-01T14:30:43","date_gmt":"2013-02-01T19:30:43","guid":{"rendered":"http:\/\/pmedicine.org\/epatients\/?p=14220"},"modified":"2013-02-01T15:26:14","modified_gmt":"2013-02-01T20:26:14","slug":"final-hipaa-privacy-security-rule-whats-in-it-for-patients","status":"publish","type":"post","link":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html","title":{"rendered":"Final HIPAA Privacy & Security Rule – What’s in it for Patients?"},"content":{"rendered":"

After years of delay, the federales finally<\/em><\/strong> finalized the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.<\/p>\n

Introduction<\/strong><\/p>\n

The Final Rule offers significant changes to patient rights and patient protections.\u00a0(There is much more to the rule, but other aspects are not addressed in this post. Here you may find a link to the\u00a0HIPAA Omnibus Rule<\/a>, a Google+ Hangout taking a first look at the rule as a whole, and a bullet-point summary of the hangout; here you may find a piece I wrote on the\u00a0Breach Notification Rule<\/a>. \u00a0Some work remains to be done on other parts of the HIPAA rules, such as the accounting of disclosures provisions.)<\/p>\n

Before detailing the patient-focused changes, a bit of broad-brush background is in order. The original HIPAA privacy and security rules are all designed to protect the privacy and security of “protected health information” (PHI) of individual patients. PHI may be shared among health care providers and payors (and health care clearinghouses – a type of claims processor) (collectively, Covered Entities or CEs) for purposes of treatment, payment and operations (TPO) without asking patients for permission. Any other use or disclosure of PHI requires patient consent. Some CE operations require dealings with Business Associates (BAs) — entities that are not CEs, but that end up using PHI to help CEs carry out their TPO responsibilities (e.g., medical records vendors, billing companies, etc.). Every CE is required to give patients a Notice of Privacy Practices (NPP) and to enter into a Business Associate Agreement (BAA) with each of its BAs, under which the BA agrees to maintain the privacy and security of PHI.<\/p>\n

The \u00a0amendments collected in the Final Rule are promulgated under the HITECH Act (the portion of the 2009 Recovery Act that also funded the Meaningful Use EHR incentive program) and GINA (the Genetic Information Nondiscrimination Act of 2008). \u00a0The amendments under the HITECH Act added additional privacy and security protections to HIPAA in order to allay concerns that, with the promotion of more widespread use of electronic health records, there would be more opportunities for breaches of the privacy and security of PHI. Amendments under GINA harmonize HIPAA regulations with GINA regulations.<\/p>\n

So, without further ado, here are the highlights:<\/p>\n

Business Associates are held to the same strict standards as Covered Entities<\/strong><\/p>\n

Business Associates and their subcontractors are now directly responsible for compliance with HIPAA, not just responsible for signing a BAA. They will now be subject to OCR HIPAA compliance audits<\/a>, just as CEs are, and should be undertaking risk assessments in order to ensure that their privacy and security compliance is up to snuff. \u00a0BAs have always been responsible for compliance under their BAAs, but some BAs, particularly smaller ones, probably have not focused enough on HIPAA compliance. Now they will have to because they are fully accountable — they can be audited and fined, just like the Covered Entities.<\/p>\n

<\/strong>The definition of BA is expanded<\/strong><\/p>\n

Business Associates are now defined to include a broader array of contractors that store and touch PHI — including, for example, document storage companies and other contractors that “maintain” PHI, even if they do not actually view the information in their possession.<\/p>\n

Use of Protected Health Information for marketing is limited<\/strong><\/p>\n

Covered Entities may not send marketing materials to patients on behalf of third parties if the communication is paid for by a third party whose products or services are being promoted. Several exceptions to this rule that applied in the past, whether or not the communication was funded by a third party (i.e., communications about (i) treatment, (ii) a health-related product provided by, or covered by a benefit or insurance plan issued by, the CE making the communication, or (iii) case management, care coordination or treatment alternatives) now apply only if the communication is funded internally by the CE.<\/p>\n

Sale of PHI is limited<\/strong><\/p>\n

<\/strong>PHI may not be sold, licensed, or accessed in exchange for giving anything of value — with a handful of exceptions. PHI may be disclosed in exchange for remuneration \u00a0(i) for\u00a0public health purposes, (ii) for\u00a0research, so long as payment is limited to the sending CE’s costs, (iii) for\u00a0treatment and payment, (iv) in connection with a sale or merger of the CE, (v) to or by a BA where the CE is just paying for the BA’s services, (vi) to a patient who requests access to his or her own PHI, (vii) as required by law or (viii) as otherwise permitted under HIPAA where the remuneration covers costs only.<\/p>\n

Use of PHI for fundraising is limited<\/strong>
\n<\/strong><\/p>\n

On the one hand, nonprofit health care providers can target their fundraising efforts by using PHI that clues them in to what services were provided to which patients. On the other hand, each contact must allow a patient to opt out of all future fundraising communications.<\/p>\n

Use of PHI for research is simplified<\/strong>
\n<\/strong><\/p>\n

A single consent for release of PHI in connection with research study participation can now cover future studies done using the same data. In addition, clinical trial consents can now be combined with retrospective data review consents. (If you like being a lab rat, you won’t have to sign as many data release forms.)<\/p>\n

Use of genetic information for insurance underwriting purposes is banned<\/strong>
\n<\/em><\/p>\n

As required by GINA, genetic information may not be used for health insurance underwriting purposes. Thus, genetic information is now included in the definition of PHI. In addition, the underwriting ban is carried forward into regulation. However, genetic information may<\/em> be used in long term care insurance underwriting decisions.<\/p>\n

Patients may access PHI electronically<\/strong><\/p>\n

Upon request, a CE must provide a patient or an authorized representative a copy of a requested medical record, in the format requested, within 30 days. \u00a0If, or some reason, the 30-day timeframe is unworkable, the regs give CEs an additional 30 days. \u00a0If the CE cannot produce the records in the format requested by the patient, the parties need to get together and agree on a workable compromise solution. Previously, the patient had to make do with whatever format the \u00a0CE produced (often a paper printout), and had to allow 60 days plus 30 days for tough situations. \u00a0So there is some progress here. \u00a0Of course, a CE that is in compliance with the Meaningful Use regulations for EHR implementation is required, in Stage 2, to provide records to patients electronically within just a few days (though the Society for Participatory Medicine called for immediate patient access to EHR information<\/a>\u00a0– as soon as a clinician who did not author the entry can see it, the patient should be able to see it).<\/p>\n

Patients may restrict disclosure of some information<\/strong><\/p>\n

If a patient pays for a particular service out of pocket, he or she may require that the provider not disclose any information about the service to the patient’s health plan. Providers are required to advise patients about potential inferences that payors can make based on other services provided (e.g., “If you pay for lab test A out of pocket, but have us bill your health plan for tests B, C, D and E, your health plan will be able to figure out that you had test A done as well.”) \u00a0If a visit that a patient pays for out of pocket will generate a prescription, the patient would be well-advised to ask that prescriptions be written by hand, so that no electronic notice of the prescription will get to the health plan. In a perfect world, sharing of treatment information with one’s health plan would not be problematic, but some patients have legitimate concerns about the use and misuse of such information by employers, health insurers, life insurers and others.<\/p>\n

The HIPAA Omnibus Rule<\/a> was published on January 25, 2013. \u00a0It is effective 60 days later, and (with certain exceptions) regulated parties must come into compliance within 180 days after that, or September 23.<\/p>\n

What do you think?<\/strong><\/p>\n

What do you think? Was this rule worth the wait? Are your pet peeves addressed by the final rule? Let us know in the comments.<\/p>\n

David Harlow<\/a> is a health care lawyer and consultant at The Harlow Group LLC, and chairs the Society for Participatory Medicine\u2019s public policy committee. \u00a0You should follow him on Twitter:\u00a0@healthblawg<\/a>.\u00a0<\/em><\/em><\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

After years of delay, the federales finally finalized the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. Introduction The Final Rule offers significant changes to patient rights and patient protections.\u00a0(There […]<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"give_campaign_id":0,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_price":"","_stock":"","_tribe_ticket_header":"","_tribe_default_ticket_provider":"","_tribe_ticket_capacity":"0","_ticket_start_date":"","_ticket_end_date":"","_tribe_ticket_show_description":"","_tribe_ticket_show_not_going":false,"_tribe_ticket_use_global_stock":"","_tribe_ticket_global_stock_level":"","_global_stock_mode":"","_global_stock_cap":"","_tribe_rsvp_for_event":"","_tribe_ticket_going_count":"","_tribe_ticket_not_going_count":"","_tribe_tickets_list":"[]","_tribe_ticket_has_attendee_info_fields":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367,59,62],"tags":[5935,5937,5932,5909,5918,5930,90,5927,1259,879,2039,5910,5933,5934,5931,5914,1449,5928,5925,5907,5923],"coauthors":[],"class_list":["post-14220","post","type-post","status-publish","format-standard","hentry","category-medical-records","category-policy-issues","category-reforming-healthcare","tag-associate-agreement","tag-billing-companies","tag-broad-brush","tag-bullet-point","tag-business-associate","tag-genetic-information-nondiscrimination-act","tag-google","tag-health-care-clearinghouses","tag-health-care-providers","tag-hipaa","tag-hipaa-privacy","tag-hipaa-rules","tag-notice-of-privacy-practices","tag-npp","tag-patient-consent","tag-patient-protections","tag-patient-rights","tag-payors","tag-recovery-act","tag-security-breach","tag-security-rules"],"yoast_head":"\nFinal HIPAA Privacy & Security Rule - What's in it for Patients? - SPM Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Final HIPAA Privacy & Security Rule - What's in it for Patients? - SPM Blog\" \/>\n<meta property=\"og:description\" content=\"After years of delay, the federales finally finalized the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. Introduction The Final Rule offers significant changes to patient rights and patient protections.\u00a0(There […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html\" \/>\n<meta property=\"og:site_name\" content=\"SPM Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/participatorymedicine\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-01T19:30:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2013-02-01T20:26:14+00:00\" \/>\n<meta name=\"author\" content=\"David Harlow\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@s4pm\" \/>\n<meta name=\"twitter:site\" content=\"@s4pm\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Harlow\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html\"},\"author\":{\"name\":\"David Harlow\",\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#\\\/schema\\\/person\\\/780ff6357aef66a2f9b85a807d78dd2d\"},\"headline\":\"Final HIPAA Privacy & Security Rule – What’s in it for Patients?\",\"datePublished\":\"2013-02-01T19:30:43+00:00\",\"dateModified\":\"2013-02-01T20:26:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html\"},\"wordCount\":1389,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#organization\"},\"keywords\":[\"Associate Agreement\",\"Billing Companies\",\"Broad Brush\",\"Bullet Point\",\"Business Associate\",\"Genetic Information Nondiscrimination Act\",\"Google\",\"Health Care Clearinghouses\",\"Health Care Providers\",\"Hipaa\",\"Hipaa Privacy\",\"Hipaa Rules\",\"Notice Of Privacy Practices\",\"Npp\",\"Patient Consent\",\"Patient Protections\",\"Patient Rights\",\"Payors\",\"Recovery Act\",\"Security Breach\",\"Security Rules\"],\"articleSection\":[\"Medical Records\",\"Policy Issues\",\"Reforming Healthcare\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html\",\"url\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html\",\"name\":\"Final HIPAA Privacy & Security Rule - What's in it for Patients? - SPM Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#website\"},\"datePublished\":\"2013-02-01T19:30:43+00:00\",\"dateModified\":\"2013-02-01T20:26:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/2013\\\/02\\\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Final HIPAA Privacy & Security Rule – What’s in it for Patients?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#website\",\"url\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/\",\"name\":\"SPM Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#organization\",\"name\":\"Society for Participatory Medicine\",\"url\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/wp-content\\\/uploads\\\/sites\\\/3\\\/2017\\\/06\\\/spm-logo-13.png\",\"contentUrl\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/wp-content\\\/uploads\\\/sites\\\/3\\\/2017\\\/06\\\/spm-logo-13.png\",\"width\":971,\"height\":269,\"caption\":\"Society for Participatory Medicine\"},\"image\":{\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/participatorymedicine\",\"https:\\\/\\\/x.com\\\/s4pm\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/#\\\/schema\\\/person\\\/780ff6357aef66a2f9b85a807d78dd2d\",\"name\":\"David Harlow\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f759fea1978a7075373e1e4db51da5d72911b2ae81cd73b1b07bda64bb6621c9?s=96&d=mm&r=g9415675226e8a195dbadfc4371ee8fc3\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f759fea1978a7075373e1e4db51da5d72911b2ae81cd73b1b07bda64bb6621c9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f759fea1978a7075373e1e4db51da5d72911b2ae81cd73b1b07bda64bb6621c9?s=96&d=mm&r=g\",\"caption\":\"David Harlow\"},\"url\":\"https:\\\/\\\/participatorymedicine.org\\\/epatients\\\/author\\\/dharlow\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Final HIPAA Privacy & Security Rule - What's in it for Patients? - SPM Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html","og_locale":"en_US","og_type":"article","og_title":"Final HIPAA Privacy & Security Rule - What's in it for Patients? - SPM Blog","og_description":"After years of delay, the federales finally finalized the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. Introduction The Final Rule offers significant changes to patient rights and patient protections.\u00a0(There […]","og_url":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html","og_site_name":"SPM Blog","article_publisher":"https:\/\/www.facebook.com\/participatorymedicine","article_published_time":"2013-02-01T19:30:43+00:00","article_modified_time":"2013-02-01T20:26:14+00:00","author":"David Harlow","twitter_card":"summary_large_image","twitter_creator":"@s4pm","twitter_site":"@s4pm","twitter_misc":{"Written by":"David Harlow","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html#article","isPartOf":{"@id":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html"},"author":{"name":"David Harlow","@id":"https:\/\/participatorymedicine.org\/epatients\/#\/schema\/person\/780ff6357aef66a2f9b85a807d78dd2d"},"headline":"Final HIPAA Privacy & Security Rule – What’s in it for Patients?","datePublished":"2013-02-01T19:30:43+00:00","dateModified":"2013-02-01T20:26:14+00:00","mainEntityOfPage":{"@id":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html"},"wordCount":1389,"commentCount":3,"publisher":{"@id":"https:\/\/participatorymedicine.org\/epatients\/#organization"},"keywords":["Associate Agreement","Billing Companies","Broad Brush","Bullet Point","Business Associate","Genetic Information Nondiscrimination Act","Google","Health Care Clearinghouses","Health Care Providers","Hipaa","Hipaa Privacy","Hipaa Rules","Notice Of Privacy Practices","Npp","Patient Consent","Patient Protections","Patient Rights","Payors","Recovery Act","Security Breach","Security Rules"],"articleSection":["Medical Records","Policy Issues","Reforming Healthcare"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html","url":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html","name":"Final HIPAA Privacy & Security Rule - What's in it for Patients? - SPM Blog","isPartOf":{"@id":"https:\/\/participatorymedicine.org\/epatients\/#website"},"datePublished":"2013-02-01T19:30:43+00:00","dateModified":"2013-02-01T20:26:14+00:00","breadcrumb":{"@id":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/participatorymedicine.org\/epatients\/2013\/02\/final-hipaa-privacy-security-rule-whats-in-it-for-patients.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/participatorymedicine.org\/epatients\/"},{"@type":"ListItem","position":2,"name":"Final HIPAA Privacy & Security Rule – What’s in it for Patients?"}]},{"@type":"WebSite","@id":"https:\/\/participatorymedicine.org\/epatients\/#website","url":"https:\/\/participatorymedicine.org\/epatients\/","name":"SPM Blog","description":"","publisher":{"@id":"https:\/\/participatorymedicine.org\/epatients\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/participatorymedicine.org\/epatients\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/participatorymedicine.org\/epatients\/#organization","name":"Society for Participatory Medicine","url":"https:\/\/participatorymedicine.org\/epatients\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/participatorymedicine.org\/epatients\/#\/schema\/logo\/image\/","url":"https:\/\/participatorymedicine.org\/epatients\/wp-content\/uploads\/sites\/3\/2017\/06\/spm-logo-13.png","contentUrl":"https:\/\/participatorymedicine.org\/epatients\/wp-content\/uploads\/sites\/3\/2017\/06\/spm-logo-13.png","width":971,"height":269,"caption":"Society for Participatory Medicine"},"image":{"@id":"https:\/\/participatorymedicine.org\/epatients\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/participatorymedicine","https:\/\/x.com\/s4pm"]},{"@type":"Person","@id":"https:\/\/participatorymedicine.org\/epatients\/#\/schema\/person\/780ff6357aef66a2f9b85a807d78dd2d","name":"David Harlow","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f759fea1978a7075373e1e4db51da5d72911b2ae81cd73b1b07bda64bb6621c9?s=96&d=mm&r=g9415675226e8a195dbadfc4371ee8fc3","url":"https:\/\/secure.gravatar.com\/avatar\/f759fea1978a7075373e1e4db51da5d72911b2ae81cd73b1b07bda64bb6621c9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f759fea1978a7075373e1e4db51da5d72911b2ae81cd73b1b07bda64bb6621c9?s=96&d=mm&r=g","caption":"David Harlow"},"url":"https:\/\/participatorymedicine.org\/epatients\/author\/dharlow"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p8S1TQ-3Hm","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/posts\/14220","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/comments?post=14220"}],"version-history":[{"count":18,"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/posts\/14220\/revisions"}],"predecessor-version":[{"id":14238,"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/posts\/14220\/revisions\/14238"}],"wp:attachment":[{"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/media?parent=14220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/categories?post=14220"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/tags?post=14220"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/participatorymedicine.org\/epatients\/wp-json\/wp\/v2\/coauthors?post=14220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}