Reporting Breaches under HIPAA Omnibus

Reporting Breaches under HIPAA Omnibus

The new, much more objective guidance for reporting breaches that are included in the HIPAA omnibus rule will result in an increase in notifications.

The revised breach notification guidance clarifies that any unauthorized use or disclosure of patient information is presumed to be a breach unless there's a low probability the information was compromised.

The new breach reporting guidance clearly lowers the threshold for reportable breaches which will lead to more notifications than under the interim final breach notification rule, in effect since September 2009. That rule had a much more subjective "harm standard" that required breaches to be reported if the incident posed a significant risk of financial, reputational, or other harm.

To comply with theHIPAA Omnibus Rule, your organization will need to conduct a thorough risk assessment based on the more detailed, multi-step breach reporting guidance.

Assessing Risks

In fact, risk assessments will be an important component of compliance with many aspects of the omnibus rule. In addition to risk assessments tied to breach notification decisions, the expansion of HIPAA compliance requirements to business associates and their subcontractors also will lead to more risk analyses.

If you're a business associate, the first thing you want to do is a HIPAA risk assessment, documenting your organization's privacy practices and procedures.

Covered entities will also need to assess who is a business associate under the rule's new expanded definition. Now, if you're simply maintaining protected health information on behalf of your client, even if you never access it, you're a business associate. That includes many cloud services providers.

Business Associates need to:

  • Update breach notification policies and breach response plans;
  • Make changes that need to be made to notices of privacy practices;
  • Make changes that need to be made to Business Associate Agreements
  • Other steps that covered entities, business associates, and subcontractors should be taken now to comply with the new HIPAA Mega Rule.

For our current clients, we anticipate having all of the new Mega Rule information provided in your employees' HIPAA training by March 1st. If you need to conduct a Risk Assessment or need help complying with the Mega Rule, please contact us. WE CAN HELP YOU.