Reporting Breaches under HIPAA Omnibus
The new, much more objective guidance for reporting breaches that's included in the HIPAA omnibus rule will result in an increase in notifications.
The revised breach notification guidance clarifies that any unauthorized use or disclosure of patient information is presumed to be a breach unless there's a low probability the information was compromised.
The new breach reporting guidance clearly lowers the threshold for reportable breaches which will lead to more notifications than under the interim final breach notification rule, in effect since September 2009. That rule had a much more subjective "harm standard" that required breaches to be reported if the incident posed a significant risk of financial, reputational or other harm.
To comply with the HIPAA Omnibus Rule, your organization will need to conduct a thorough risk assessment based on the more detailed, multi-step breach reporting guidance.
In fact, risk assessments will be an important component of compliance with many aspects of the omnibus rule. In addition to risk assessments tied to breach notification decisions, the expansion of HIPAA compliance requirements to business associates and their subcontractors also will lead to more risk analyses.
If you're a business associate, the first thing you want to do is a HIPAA risk assessment, documenting your organization's privacy practices and procedures.
Covered entities will also need to assess who is a business associate under the rule's new expanded definition. Now, if you're simply maintaining protected health information on behalf of your client, even if you never access it, you're a business associate. That includes many cloud services providers.
Business Associates need to:
- Update breach notification policies and breach response plans;
- Make changes that need to be made to notices of privacy practices;
- Make changes that need to be made to Business Associate Agreements
- Other steps that covered entities, business associates and subcontractors should be taking now to comply with the new HIPAA Mega Rule.
For our current clients, we anticipate having all of the new Mega Rule information provided in your employees' HIPAA training by March 1st. If you need to conduct a Risk Assessment or need help complying with the Mega Rule, please contact us. WE CAN HELP YOU.