The new HIPAA Omnibus Rule developed by the Department of Health and Human Services has several important provisions for professionals who must remain compliant with HIPAA regulations. One of these changes involves the alterations to the Breach Notification Rule. Compliance with the new guidelines went into effect on March 26, 2013, and providers must be in total compliance by September 23, 2013.
Assumption of Breach Notification
Under the new guidelines, a breach requiring notification to government entities is assumed in all cases with the following exceptions:
- Situations where the compromise falls under the umbrella of one of three exceptions to the breach definition.
- Situations where the covered entity can demonstrate that there is a low probability that the protected health information was actually compromised.
In the past, covered entities were responsible for notifying affecting individuals after a risk assessment determined that the compromised health information demonstrated a significant risk of reputational or financial harm to that patient. The factors at play in the old system of risk assessment for breach notification were as follows:
- The type and amount of protected health information disclosed
- The individual or group who received the protected health information
- The perceived risk of further disclosure
Now, four factors must be explored when it comes to breach notification:
- The nature and extent of the protected health information directly involved in the breach, including an assessment of the chances of possible re-identification
- The identification of the unauthorized individuals using the protected health information
- Whether the information that was breached was actually received and viewed and
- The efforts made to mitigate the risks connected with the sharing of the protected health information
These four factors must be considered when a covered entity is evaluating the need for a breach notification. A notification can actually be sent without performing the above risk assessment, but going through the procedure is a cost-saving measure that can reduce the expenses for the covered entity concerned about compliance.
Now that all breaches are presumed to be serious, entities should prepare the appropriate administrative protocol and procedures to align with this development. Working through the four factors listed above and documenting the outcome of the risk assessment can be important for establishing grounds for breach notification.
Guidelines for Notification
Covered entities are responsible for notifying individuals about a breach. This task can be assigned to the business associated responsible for the breach, but the covered entity can be held liable for failure to communicate the breach to the affected individuals in a timely fashion.
- A covered entity has 60 days in which to notify affected patients from the first day that the breach is realized.
- If business associates are connected with the breach, final notification to affected patients must occur within 60 days after the business associate has notified the covered entity about the breach.
- Covered entities should update their business contracts to reflect this information regarding the timelines for submission of breach notification.
From the perspective of security and risk of potential audits, it’s important to understand the role that reasonable diligence plays in breaches. The Enforcement Rule specifically goes into detail regarding this term, noting that it is the business care and prudence expected from an individual seeking to satisfy other legal requirements. Although the Rule clarifies this concept to some extent, the concepts of “care and prudence” are still relatively broad.
Depending on the size of the organization, reasonable diligence might mean different things. Evaluating for potential risks and developing plans to mitigate them is critical for remaining in HIPAA compliance and for keeping operations as smooth as possible.