New Breach Notification Standard under HIPAA

Posted by BAS - 14 February, 2013

header-picture

The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final rule made many changes to the HIPAA Security Rule and Privacy Rule. One of those changes relates to notification of a security breach under HIPAA.

The Omnibus Final Rule establishes a new standard for determining when a covered entity must notify participants of a security breach of their PHI. Previously, notification was required only if an unauthorized use or disclosure of unsecured protected health information (PHI) posed a significant risk of financial, reputational or other harm to an individual. Now, any unauthorized use or disclosure of unsecured PHI requires notification unless the covered entity can prove a "low probability" that the PHI has been compromised based on a risk assessment.

When it is determined that unsecured electronic PHI has been used or disclosed without permission, the covered entity must conduct a risk assessment examining

  • The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;
  • The unauthorized person who used the PHI or who received the disclosure;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Other factors may be taken into account, and if it is determined that notice is not required, the risk assessment must be documented. The covered entity must show that there is a low probability that an unauthorized recipient misused or will misuse the information.

The new standards certainly make it seem like notifications of breaches will be more frequent. Employers will want to take steps now to reduce the potential risk of disclosure of PHI. Encrypting emails containing PHI is a good first step, as is encrypting all laptops with PHI. IT departments may want to have the ability to recall emails if they are erroneously sent, to add support to the position that an email, once sent, was recalled before the recipient had a chance to view the email. BAS takes the privacy and security of clients' information very seriously, and uses best practices to keep sensitive date private and secure.

Topics: MyEnroll360 Security


Recent Posts

Question of the Week - Allergy Medicine

read more

New Guidance on Tracking Technologies and HIPAA

read more

Enhancing Benefits Administration Efficiency: MyEnroll360's New Hire Waiting Period Management

read more