Under the HIPAA Omnibus Rule, security incidents are presumed to be reportable data breaches unless healthcare organizations demonstrate through a four-factor assessment that risks are low.
The factors that need to be assessed include:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
Mitigating risk to PHI once there's been a disclosure can prove difficult. There's not much you can do when the horse is already out of the barn.
The factors to be considered in an assessment of whether an incident is a reportable breach had been included in the preamble of the interim final breach notification rule that's been in effect since September 2009. But the final version of the rule, including within HIPAA Omnibus, clarifies the guidance.
Breach notification requirements for business associates are the same as for covered entities under the new rule.
the HIPAA Omnibus Rule went into effect on March 26 and has a compliance deadline of Sept. 23.